[Static]

There is one ban reason that is very annoying: mismatching data. It occurs whenever there is something submitted that isn't supposed to be. To see what I mean, try the following:

1. Open a comment form with a rating field
   
2. Open the Commentics admin panel
   
3. Disable the rating field
   
4. Finish writing the comment and submit it
   

You will now be effectively banned. By the way, if you don't know how to unban yourself, just go to manage bans, delete your ban, and then delete the cookie that has a value of 'banned'.

In order to stop this from happening, do the following:

1. Go to 'path to commentics here'/comments/includes/functions/processor.php
   
2. Edit the functions validate_country and validate_rating so that the lines "ban(BAN_REASON_MISMATCHING_DATA)" are "error(ERROR_MESSAGE_INVALID_COUNTRY)" and "error(ERROR_MESSAGE_INVALID_RATING)" respectively
   
3. Go to 'path to commentics here'/comments/includes/app/processor.php
   
4. Find and replace all "ban(BAN_REASON_MISMATCHING_DATA)" strings with "error(ERROR_MESSAGE_MISMATCHING_DATA)" or alternitavely something more fitting to the context it's in such as "error(ERROR_MESSAGE_INVALID NAME)" for the name part
   
5. Go to 'path to commentics here'/comments/includes/language/processer.php
   
6. Add the following lines to the end of the error section: "define ('ERROR_MESSAGE_INVALID_COUNTRY', 'There was an error while proccessing the selected country. Please try again.');" and "define ('ERROR_MESSAGE_INVALID_RATING', 'There was an error while proccessing the selected rating. Please try again.');"
   
7. If you did "error(ERROR_MESSAGE_MISMATCHING_DATA)" for step 4 then also add "define ('ERROR_MESSAGE_MISMATCHING_DATA', 'There was data in your post that\'s not supposed to be there.');"
   

No more bans on mismatched data will occur. Don't know why it would be considered a ban in the first place. Not really a security threat in most cases. If I'm mistaken, then please tell me.

[Steven]

If someone submits an invalid country or rating then it means that they submitted the data from another website. If you feel that it is normal behaviour to do that then feel free to make the change in instruction 2 so that they receive an error message and can continue to adjust their external data.

But the lines that require changing are:

Code:

ban(BAN_REASON_INVALID_COUNTRY);

and

Code:

ban(BAN_REASON_INVALID_RATING);

and not:

Code:

ban(BAN_REASON_MISMATCHING_DATA);

Do you believe it is common for Commentics administrators to enable and disable form fields once live?

P.S. Your mismatching data error message only mentions extra data being submitted but one could also receive the error message for missing data.

[Static]

Thanks for clearing some things up. I see what you mean, but if someone's testing the script, then this is highly annoying. In order to avoid it while testing, you have to do a complete reload of the page so that there aren't any $_POST variables. Clearing the post variables after a successfully posted comment might work. Maybe something with unset()? Or, just check if the user is an admin.

Yeah, the error message is incorrect.

---

Here is working code:

Code:

if(!is_administrator()){ban(BAN_REASON_MISMATCHING_DATA);}else{error(ERROR_MESSAGE_MISMATCHING_DATA);}

instead of each ban for mismatching data in "/comments/includes/app/processor.php". The functions file of the same name should remain unchanged (should be the same as the original, not my, supposedly, fix in the post above).

---

Actually, the file "/comments/includes/functions/processor.php" should have:

Code:

if(!is_administrator()){ban(BAN_REASON_MISMATCHING_DATA);}else{error(ERROR_MESSAGE_MISMATCHING_DATA);}

instead of:

Code:

ban(BAN_REASON_MISMATCHING_DATA);

Otherwise, the admin gets banned 0_o

[Steven]

That's definitely an improvement.

However I was thinking of producing an error every time for mismatching data because there might be the odd occasion when the administrator enables/disables a field once live, and I would hate for users to get banned for no good reason.

[Static]

Nah, then the admin would unban the user, apologize for, the mistake, tell the user to clear cookies(unless that is a security risk) and set things straight. Better safe than sorry.

[Steven]

Okay, so you think it would be best to keep the ban but to exclude the administrator from it and give the administrator an error message instead?

[Static]

Yeah, I guess that would be best. To avoid the mistaken ban, the admin should set the page to be under maintenance. An FAQ entry will help users understand "Why are my users are getting banned for mismatching data?". Seems to be a fixed issue to me.

[Steven]

The maintenance setting can only minimize the risk of a mistaken ban. If the user starts completing the form, and the administrator puts the script in maintenance mode to enable/disable a field, if the script is back out of maintenance before the user submits the form then they will still get banned. It would only work if they submit the form and the script is still in maintenance mode then they would not get banned.

I think the best method would be to go to Tool -> Viewers to make sure no one is on the page.

[Static]

Yeah, that should do it, only turn on maintenance after that to make sure nobody's on the site while you are changing things. That reduce the risk about 99%. Put that in the FAQ for version 1.1 and you're all set.

EDIT: I think that this thread can be closed now. Unless you have anything else to add, I'm done.

[Steven]

How about I just add a condition inside the ban function so it never bans the administrator.

If the administrator submits mismatching data then it's not a big deal. As it's the admin, we know it's not malicious.

Minimal code change and the administrator never being banned makes sense.

May as well do the same for the approval function too.