Support » Fixing WordPress » sanitize_user function: security risks if relaxed/disabled?

  • Hi,

    I’m running a vBulletin forum and just launched a new WordPress-based web site. I’ve set things up so users can log in to the WordPress site using their vB forum username and password; when the user successfully logs in to the WordPress site for the first time, it pulls their username, password and some metadata from the vB database and puts it into the WordPress database. Works great, but there’s a problem (isn’t there always?).

    The problem is vBulletin allows pretty much every special character (!@#$%^&*()+, etc) under the sun to be used in usernames. WordPress does not. I have thousands of forum members who have used special characters in their usernames, so asking them all to switch is not practical.

    The WP sanitize_user() function is what’s preventing the sucessful import of usernames with special characters. I can relax the restrictions in the regexs used to preg_replace these restricted characters so they are allowed, but I’m concerned about the security implications of doing so (I’m not at all familiar with the inner-workings of WordPress).

    So what is the purpose of the sanitize_user() function? Is it simply to make the usernames as compatible with other systems as possible? Or are there security reasons for the function to exist? If that’s the case, why? How is it that vBulletin can safely allow usernames with characters used in URL query strings while wordpress can not?

    Any help would be appreciated. This is a potentially big problem.

Viewing 1 replies (of 1 total)
  • Hi!

    I strugle with the same problem as John Stone, the only difference is that I have my users in phpBB3. As phpBB3 also allows (by default) the usernames to contain about anything I currently have over 2000 users that are not WP-compatible. This is quite a big problem for me, since I plan to put up WP in multisite mode to be able to provide my users to start their own blogs.

    Any input to this problem is wellcome!

    Sam

Viewing 1 replies (of 1 total)
  • The topic ‘sanitize_user function: security risks if relaxed/disabled?’ is closed to new replies.