diff -r b25d34fbc7ab -r e0787bb6285b plugins/admin/UserManager.php --- a/plugins/admin/UserManager.php Sun Jan 20 22:34:02 2008 -0500 +++ b/plugins/admin/UserManager.php Mon Jan 21 10:09:48 2008 -0500 @@ -423,6 +423,10 @@ ); $form->email_public = ( isset($_POST['email_public']) ); $form->account_active = ( isset($_POST['account_active']) ); + // This is SAFE. The smartform calls is_valid_ip() on this value, thus preventing XSS + // attempts from making it into the form HTML. Badly coded templates may still be + // affected, but if have_reg_ip is checked for, then you're fine. + $form->reg_ip_addr = $_POST['user_registration_ip']; echo $form->render(); return false; } @@ -446,7 +450,7 @@ echo 'No username provided'; return false; } - $q = $db->sql_query('SELECT u.user_id AS authoritative_uid, u.username, u.email, u.real_name, u.signature, u.account_active, u.user_level, u.user_has_avatar, u.avatar_type, x.* FROM '.table_prefix.'users AS u + $q = $db->sql_query('SELECT u.user_id AS authoritative_uid, u.username, u.email, u.real_name, u.signature, u.account_active, u.user_level, u.user_has_avatar, u.avatar_type, u.user_registration_ip, x.* FROM '.table_prefix.'users AS u LEFT JOIN '.table_prefix.'users_extra AS x ON ( u.user_id = x.user_id OR x.user_id IS NULL ) WHERE ( ' . ENANO_SQLFUNC_LOWERCASE . '(u.username) = \'' . $db->escape(strtolower($username)) . '\' OR u.username = \'' . $db->escape($username) . '\' ) AND u.user_id != 1;'); @@ -485,6 +489,7 @@ 'hobbies' => $row['user_hobbies'], ); $form->email_public = ( $row['email_public'] == 1 ); + $form->reg_ip_addr = ( $row['user_registration_ip'] ) ? $row['user_registration_ip'] : ''; $html = $form->render(); if ( !$html ) { @@ -761,6 +766,13 @@ var $avi_type = 'png'; /** + * The IP address of the user during registration + * @var string + */ + + var $reg_ip_addr = ''; + + /** * Constructor. */ @@ -1086,6 +1098,20 @@ + +