This is the community forum. For a developer response use the Client Area.
Follow us on Facebook, Twitter and YouTube!

Mismatching data
#1

There is one ban reason that is very annoying: mismatching data. It occurs whenever there is something submitted that isn't supposed to be. To see what I mean, try the following:
  1. Open a comment form with a rating field
  2. Open the Commentics admin panel
  3. Disable the rating field
  4. Finish writing the comment and submit it
You will now be effectively banned. By the way, if you don't know how to unban yourself, just go to manage bans, delete your ban, and then delete the cookie that has a value of 'banned'.

In order to stop this from happening, do the following:
  1. Go to 'path to commentics here'/comments/includes/functions/processor.php
  2. Edit the functions validate_country and validate_rating so that the lines "ban(BAN_REASON_MISMATCHING_DATA)" are "error(ERROR_MESSAGE_INVALID_COUNTRY)" and "error(ERROR_MESSAGE_INVALID_RATING)" respectively
  3. Go to 'path to commentics here'/comments/includes/app/processor.php
  4. Find and replace all "ban(BAN_REASON_MISMATCHING_DATA)" strings with "error(ERROR_MESSAGE_MISMATCHING_DATA)" or alternitavely something more fitting to the context it's in such as "error(ERROR_MESSAGE_INVALID NAME)" for the name part
  5. Go to 'path to commentics here'/comments/includes/language/processer.php
  6. Add the following lines to the end of the error section: "define ('ERROR_MESSAGE_INVALID_COUNTRY', 'There was an error while proccessing the selected country. Please try again.');" and "define ('ERROR_MESSAGE_INVALID_RATING', 'There was an error while proccessing the selected rating. Please try again.');"
  7. If you did "error(ERROR_MESSAGE_MISMATCHING_DATA)" for step 4 then also add "define ('ERROR_MESSAGE_MISMATCHING_DATA', 'There was data in your post that\'s not supposed to be there.');"

No more bans on mismatched data will occur. Don't know why it would be considered a ban in the first place. Not really a security threat in most cases. If I'm mistaken, then please tell me.

I'm giving you three guesses...
Reply
#2

If someone submits an invalid country or rating then it means that they submitted the data from another website. If you feel that it is normal behaviour to do that then feel free to make the change in instruction 2 so that they receive an error message and can continue to adjust their external data.

But the lines that require changing are:
Code:
ban(BAN_REASON_INVALID_COUNTRY);
and
Code:
ban(BAN_REASON_INVALID_RATING);

and not:
Code:
ban(BAN_REASON_MISMATCHING_DATA);

Do you believe it is common for Commentics administrators to enable and disable form fields once live?

P.S. Your mismatching data error message only mentions extra data being submitted but one could also receive the error message for missing data.

Have you completed the interview?
Reply
#3

Thanks for clearing some things up. I see what you mean, but if someone's testing the script, then this is highly annoying. In order to avoid it while testing, you have to do a complete reload of the page so that there aren't any $_POST variables. Clearing the post variables after a successfully posted comment might work. Maybe something with unset()? Or, just check if the user is an admin.

Yeah, the error message is incorrect.
Here is working code:
Code:
if(!is_administrator()){ban(BAN_REASON_MISMATCHING_DATA);}else{error(ERROR_MESSAGE_MISMATCHING_DATA);}
instead of each ban for mismatching data in "/comments/includes/app/processor.php". The functions file of the same name should remain unchanged (should be the same as the original, not my, supposedly, fix in the post above).
Actually, the file "/comments/includes/functions/processor.php" should have:
Code:
if(!is_administrator()){ban(BAN_REASON_MISMATCHING_DATA);}else{error(ERROR_MESSAGE_MISMATCHING_DATA);}
instead of:
Code:
ban(BAN_REASON_MISMATCHING_DATA);
Otherwise, the admin gets banned 0_o

I'm giving you three guesses...
Reply
#4

That's definitely an improvement.

However I was thinking of producing an error every time for mismatching data because there might be the odd occasion when the administrator enables/disables a field once live, and I would hate for users to get banned for no good reason.

Have you completed the interview?
Reply
#5

Nah, then the admin would unban the user, apologize for, the mistake, tell the user to clear cookies(unless that is a security risk) and set things straight. Better safe than sorry.

I'm giving you three guesses...
Reply
#6

Okay, so you think it would be best to keep the ban but to exclude the administrator from it and give the administrator an error message instead?

Have you completed the interview?
Reply
#7

Yeah, I guess that would be best. To avoid the mistaken ban, the admin should set the page to be under maintenance. An FAQ entry will help users understand "Why are my users are getting banned for mismatching data?". Seems to be a fixed issue to me.

I'm giving you three guesses...
Reply
#8

The maintenance setting can only minimize the risk of a mistaken ban. If the user starts completing the form, and the administrator puts the script in maintenance mode to enable/disable a field, if the script is back out of maintenance before the user submits the form then they will still get banned. It would only work if they submit the form and the script is still in maintenance mode then they would not get banned.

I think the best method would be to go to Tool -> Viewers to make sure no one is on the page.

Have you completed the interview?
Reply
#9

Yeah, that should do it, only turn on maintenance after that to make sure nobody's on the site while you are changing things. That reduce the risk about 99%. Put that in the FAQ for version 1.1 and you're all set.

EDIT: I think that this thread can be closed now. Unless you have anything else to add, I'm done.

I'm giving you three guesses...
Reply
#10

How about I just add a condition inside the ban function so it never bans the administrator.

If the administrator submits mismatching data then it's not a big deal. As it's the admin, we know it's not malicious.

Minimal code change and the administrator never being banned makes sense.

May as well do the same for the approval function too.

Have you completed the interview?
Reply


Forum Jump:


Users browsing this thread: 5 Guest(s)