Scriptlog / Tickets / #91 Merge pull request #90 from cakmoel/develop

#91 Merge pull request #90 from cakmoel/develop

Status: closed

Owner: nobody

Labels: None

Updated: 2026-03-15

Created: 2026-03-15

Creator: Anonymous

Private: No

Originally created by: nirmalakhanza

Develop

Discussion

Anonymous - 2026-03-15

Originally posted by: roomote-v0[bot]

Rooviewer See task

Reviewed changes in range 24ddc29...c9e2329. The PR diff itself remains empty (0 changed files) because main and develop are identical. The range diff shows the full codebase was merged in, but since there is no PR-level diff, inline comments cannot be attached.

I reviewed the application-level PHP files in the range and identified the following issues in the codebase. These cannot be posted as inline review comments due to the empty PR diff, so noting them here:

[ ] signup.php (lines 43-44): FILTER_SANITIZE_FULL_SPECIAL_CHARS is applied to user_pass and user_pass2, which converts HTML special characters (&, <, >, ", ') to entities before hashing. In login.php, the raw password is used. This mismatch means users whose passwords contain those characters will fail to log in. Passwords should not be sanitized before hashing.

[ ] recover-password.php (lines 43-67): CSRF validation failure sets an error message but does not halt execution. The subsequent password-change logic runs independently, so updateNewPassword() can be called even when the CSRF token is invalid.

[ ] reset-password.php (lines 32-67): Same CSRF bypass pattern. CSRF failure sets an error but does not prevent resetUserPassword() from executing if the email and captcha checks pass.

Previous reviews

24ddc29: Review [#1]

24ddc29: Review [#2]

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

Related

Tickets: #1
Tickets: #2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2026-03-15

Ticket changed by: nirmalakhanza

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2026-03-15

Ticket changed by: nirmalakhanza

status: closed --> open
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2026-03-15

Originally posted by: roomote-v0[bot]

Rooviewer See task

No code changes detected in this PR. The diff is empty (0 additions, 0 deletions, 0 changed files). The main and develop branches appear to be identical. No issues to flag.

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2026-03-15

Ticket changed by: cakmoel

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Merge pull request #90 from cakmoel/develop

Milestone

Searches

Help

#91 Merge pull request #90 from cakmoel/develop

Discussion

Related