Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Password Character Restrictions?

ThaRiddlaThaRiddla New
edited March 2007 in Vanilla 1.0 Help
One of my users commented that they were having some issues with their password. They use an @ symbol as one of the characters, and vanilla (1.1.2 and previously 1.0.3) would not allow them to simply type their password, but it could be pasted in from notepad or other text application.

Are there limitations on what characters can be used for passwords and/or usernames?

Has anyone else experienced this issue? I basically told them to change their password to something without that character for now until I have a resolution.


  • Options
    A password with @ seems to be working at the OpenSourceCMS demo (username: admin, pass: demo) but there's another problem: a user is able to apply for membership with a password containing < or >. However, when the application is accepted, the user cannot login with the same password anymore.

    This is because in People.Class.User.php:138 -- used by CreateUser() there is:

    $this->Password = FormatStringForDatabaseInput($this->Password, 1); $this->OldPassword = FormatStringForDatabaseInput($this->OldPassword, 1); $this->NewPassword = FormatStringForDatabaseInput($this->NewPassword, 1); $this->ConfirmPassword = FormatStringForDatabaseInput($this->ConfirmPassword, 1);
    while in People.Class.Authenticator.php:23 -- used for authentication of existing users:

    $Password = FormatStringForDatabaseInput($Password);
    Note the lack of the second parameter, which is (Framework.Functions.php:430):

    function FormatStringForDatabaseInput($inValue, $bStripHtml = '0') { [...] if ($bStripHtml) $sReturn = trim(strip_tags($sReturn));
    Thus the answer to your question is that passwords cannot contain angle brackets. Other than that, white-space chars (ie. spaces, tabs, CRs, LFs and NULs) are stripped from both ends of the password string and the maximum length of a password is limited to 50 chars.

    I had a similar password-related problem and I did my investigation. I hope this will be useful for other Vanilla users.
This discussion has been closed.