0

I'm developing a bespoke web system for a client using CodeIgniter and Ion Auth. Everything has been going fine so far however I have just come across an issue whereby if I try to set a password with an ampersand in, that user can no longer log in to the system.

At first I thought this issue may be related to character coding as I was setting the passwords manually using a literal string, however the same happens if I take the input directly from a HTML form. I haven't changed any encryption/hash settings in Ion Auth, only the site title, default user group, and the table attribute used for the username.

I'm using CodeIgniter 3 and Ion Auth. Please let me know if you need anymore information.

Any ideas what is happening here?

Andy
  • 3,600
  • 12
  • 53
  • 84
  • I would suspect to Input class and allowed characters. See [this](http://stackoverflow.com/questions/4197976/codeigniter-disallowed-key-characters#answer-4198531) answer, but do not hack core files. Instead, make MY_Input.php in core. – Tpojka May 12 '15 at 23:17
  • @Tpojka Thanks for you comment. Everytime I try to add a asterisks to the regular expression however it breaks, even when I escape it or use preg_quote(). What would the regular expression be? – Andy May 13 '15 at 15:42
  • I think you should start over and then see where it is broken. Because I just tried password with asterisk (Shift+8) in ion auth and it is working with no problems. Also, I didn't change anything with Input class. – Tpojka May 13 '15 at 16:06
  • @Tpojka That's what I would usually do but unfortunately the system is actually in use so that is really only a last resort! Hence why I came here. – Andy May 13 '15 at 16:21
  • I just meant I couldn't reproduce error since Ion Auth works perfectly with asterisks in password. First my comment was before checking it in practice but just logic flow of mine. – Tpojka May 13 '15 at 16:22
  • @Tpojka I've actually just discovered that if I call the register function and set a new user a password with an asterisk it works fine, but when I try to update that user's password to a different password with asterisks that's when the problems start. Does that help in any way? – Andy May 13 '15 at 16:33
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/77740/discussion-between-tpojka-and-andy). – Tpojka May 13 '15 at 16:39
  • @Tpojka Just discovered, I'm really sorry, that it is the ampersand (&) causing the issues not the asterisk. My bad. Can you use ampersands on your installation? – Andy May 13 '15 at 18:54
  • Administrator edited member password from `qwerty123*` to `qwerty123&` and successfully logged in with new one. – Tpojka May 13 '15 at 20:06
  • Argh, let me see what else I can find then... – Andy May 13 '15 at 20:17

1 Answers1

0

I've just discovered the issue, and it has made me feel just a little bit daft but I thought I'd let everyone else know the solution because if I've had this issue, I'm sure somebody else is bound to.

The problem was nothing to do with Ion Auth, but instead to with me incorrectly using CodeIgniter functions. To obtain the password from the form, I was using set_value('password) which actually escapes values for HTML as documented here and written about here. Obviously by just printing the password using echo, which was how I was attempting to debug, I couldn't see that the the original string was being altered in any way but it made a difference to the hash.

The solution is to simply use $this->input->post('password') to get the password instead, as this function makes no changes to the original input.

Hope that helps somebody. The moral of the story is to get familiar with any framework before you start using it and read the documentation thoroughly.

Andy
  • 3,600
  • 12
  • 53
  • 84