RS Form Pro Help -

For Joomla! 1.5 Coding related discussions, please use: http://groups.google.com/group/joomla-dev-general
Forum rules
Please use the mailing list here: http://groups.google.com/group/joomla-dev-general rather than this forum.
Locked
Dreambringer
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Mon Feb 11, 2008 8:42 pm

RS Form Pro Help -

Post by Dreambringer » Tue Sep 01, 2009 3:47 pm

I have tried to get support with them and they seem to be a bit slow and their hours are very different then mine, so I am looking for a little help. Oh yeah their forums are not very active either.


For the most part I can find the answers to questions in here, but have not posted much.

I am working with RS!Form Pro and am looking to use a form as a registration page.

The code they provide is:

Code: Select all

if (isset($_POST['form']['username']))
{
global $database;
$fullname = $_POST['form']['fullname'];
$email = $_POST['form']['email'];
$username = $_POST['form']['username'];
$password = $_POST['form']['password'];
$database->setQuery("SELECT `id` FROM #__users WHERE `username`='".$username."'");
$database->query();
if ($database->getNumRows() > 0) die('This username is already taken. Please press back and try a different username.');
$database->setQuery("INSERT INTO #__users (`name`, `username`, `email`, `password`, `usertype`, `block`, `sendEmail`, `gid`, `registerDate`, `lastvisitDate`, `activation`, `params`) VALUES('".$fullname."', '".$username."', '".$email."', '".md5($password)."', '', 0, 0, 18, now(), now(), '', '')");
$database->query();
$userid = $database->insertid();
$database->setQuery("INSERT INTO #__core_acl_aro (`id`, `section_value`, `value`, `order_value`, `name`, `hidden`) VALUES ('', 'users', '".$userid."', 0, '".$fullname."', 0)");
$database->query();
$aro_id = $database->insertid();
$database->setQuery("INSERT INTO #__core_acl_groups_aro_map (`group_id`,`section_value`,`aro_id`) VALUES ('18','','".$aro_id."')");
$database->query();
exit();
}
 
So my form has the fields that are required, but when I submit my form I am getting the following error:

Code: Select all

Fatal error: Call to a member function setQuery() on a non-object in /homepages/19/d194667862/htdocs/ja/components/com_rsform/controller/functions.php(1047) : eval()'d code on line 8
Any help or any point in the right direction would be much appreciated.

Thanks in advance...

Dream

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: RS Form Pro Help -

Post by fcoulter » Tue Sep 01, 2009 4:06 pm

What the error message is saying is that $database is not properly defined, so you should look into that.

The correct Joomla usage to get the database object is

Code: Select all

		$database			=& JFactory::getDBO();
Also you should do some input validation before running your SQL, your site will be vulnerable to SQL injection attacks otherwise. This code looks highly insecure.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

Dreambringer
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Mon Feb 11, 2008 8:42 pm

Re: RS Form Pro Help -

Post by Dreambringer » Tue Sep 01, 2009 4:28 pm

fcoulter wrote: Also you should do some input validation before running your SQL, your site will be vulnerable to SQL injection attacks otherwise. This code looks highly insecure.

Thanks for the response, and after reading that, I think I am going to rethink using this comp... this feature!

Thanks again!

User avatar
dam-man
Joomla! Exemplar
Joomla! Exemplar
Posts: 7961
Joined: Fri Sep 09, 2005 2:13 pm
Location: The Netherlands
Contact:

Re: RS Form Pro Help -

Post by dam-man » Wed Sep 02, 2009 8:28 am

Why not looking at com_user?
Joomla! is doing is a better way. The $user object has function to insert users
Robert Dam - Joomla Forum Moderator
Dutch Boards | Joomla Coding Boards | English Support Boards

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: RS Form Pro Help -

Post by fcoulter » Wed Sep 02, 2009 8:58 am

I agree - user registration is a complex issue, if you are going to do something with it is best to spend some time first of all studying how com_user works. There are various Joomla classes that handle these things such as the JUser class, and the JAuthentication class, you can find these in Joomla and look at how they work.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

alexpRS
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Mon Mar 23, 2009 7:17 am

Re: RS Form Pro Help -

Post by alexpRS » Thu Sep 03, 2009 7:36 am

Hello,

With some little knowledge you can do just about anything RSform!Pro ... even a registration form though it was not designed for this.

If you wish to build this the "joomla-way" you can use the following code:

Code: Select all

$user = & JFactory::getUser(0);
$name = $_POST['form']['name'];
$email = $_POST['form']['email'];
$password = $_POST['form']['password'];
$user->name = $name;
$user->email = $email;

$username = preg_replace("/[^a-zA-Z0-9\s]/","", trim(strtolower($name)));
			$username = preg_replace('/ {1,}/','.',$username);
			$isDuplicate=true;
			while($isDuplicate)
			{
				$db->setQuery("select count(id) as c from #__users where username='".$username."'");
				$count=$db->loadResult();
				if($count==0) $isDuplicate=false;
				else
				{
					$isDuplicate=true;
					$username=$username.rand(0,99);
				}
			}
$user->username = $username;
			$user->sendEmail = 1;
			$user->password=md5($password);
			
			$user->gid = 18;
			$user->usertype = 'Registered';
			$user->block = 0;
if(!empty($user->_errors[0]))
{
   die($user->_errors);
   $user->save();
}
There is no need to perform injection verifications here due to the fact that this automatically done by default in RSform!Pro.
http://www.rsjoomla.com
- RSform!Pro - RSFirewall! - RSEvents!Pro - RSSeo! - RSDirectory! - RSMail! - RSBlog!

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: RS Form Pro Help -

Post by fcoulter » Thu Apr 29, 2010 10:19 am

I don't believe that this is sufficient protection. The problem with SQL injection attacks is that they can be performed with characters that are otherwise perfectly valid in post variables, so simply sanitizing the $_POST array is not going to be sufficient.

To be secure, all string data should be properly escaped before using it to query the database, which they are not in these scripts. For that reason I would not recommend using them.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"


Locked

Return to “Joomla! 1.5 Coding”