Modern Browser complain if there are non-https elements in https websites. This makes sure that if the user visits via https all elements of the page are also retrieved using SSL. Furthermore it uses https urls in emails that are send to the user, if SECURE_URL_BASE is set in project/project.inc.
The only remaining places where URL_BASE is used is when it is used as master_url where it is important that it is in sync with what the scheduler uses.
There are two aspects:
1) undoing magic quotes (if it's being used).
This must be done for all GET and POST string inputs.
It is now done automatically by get_str() and post_str().
The places that refer to $_GET and $_POST directly
must do it themselves using undo_magic_quotes().
2) Escaping user-supplied strings before using them in DB queries.
This is done by process_user_text()
(which should be renamed db_escape_string()).
The new principle:
call process_user_text() in the function that does the DB query
(not at any higher level).
svn path=/trunk/boinc/; revision=15389
- login form now has ONLY email/passwd
("login with account key" is gone)
- "forgot password?" takes you to a page with two options:
1) type in email address, get an email with login link
2) instructions for recovering account key from BOINC account file
- email is stripped-down, has login link and not much else
fixes#190
svn path=/trunk/boinc/; revision=14263
Christian Beer