Missing error page

I have found out what the problem is, the length of the address to the error pages is over 255 characters long, which my security plugin sees as an PHP injection attempt. Since it is a good security practice to block addresses longer then 255 characters long, and since the error pages seems to work fine with only the beginning part ( https://craftersu.com/members/crafters-university/invite-anyone/invite-new-members?error_message=%3Cstrong%3Einfo%40craftersu.com%3C%2Fstrong%3E+is+already+a+registered+user+of+the+site.%3Cbr+%2F%3E&error_emails%5B0%5D=info%40craftersu.com ), i hope that this address will be shortened in future updates. It would increase the security of the plugin a great deal.

Bump ( And merry Christmas!:)

Since the author seems to have abandon this plugin, i took it upon myself to try to make a crude fix. This only kind of work, most users will not notice any problem.

I found the string variable that contained the long query argument and added a simple code that just truncated it. This means that only a part of the full error message will be printed out on the error page, but it is usually sufficient for one erroneous email. If the user had entered more then one erroneous email, the the error message will most probably be truncated in an obvious and ugly way. Still, it is better then no error page what so ever…

Here is what you need to do:

Download by-email.php file in /wp-content/plugins/invite-anyone/by-email/, change it by finding this part:

function invite_anyone_prepare_return_qs( $returned_data ) {
	$qs = '';
	foreach( $returned_data as $key => $value ) {
		/*if ( is_array( $value ) ) {
			$key .= '[]';
		}*/
		$qs = add_query_arg( $key, $value, $qs );
	}
}
	return $qs;
}

And change it to this:

function invite_anyone_prepare_return_qs( $returned_data ) {
	$qs = '';
	foreach( $returned_data as $key => $value ) {
		/*if ( is_array( $value ) ) {
			$key .= '[]';
		}*/
		$qs = add_query_arg( $key, $value, $qs );
	}
	$charset = 'UTF-8';
	if(mb_strlen($qs, $charset) > 150) {
		$qs = mb_substr($qs, 0, 150, $charset);
}
	return $qs;
}

[Moderator Note: Please post code & markup between backticks (not double quotes) or use the code button. Your posted code may now have been permanently damaged by the forum’s parser.]

Upload and replace the old file on your server, and it should work!

> Since the author seems to have abandon this plugin

The plugin has not been abandoned. I’m afraid I just don’t have time to respond immediately to every support request.

Thanks very much for this report and for the fix. I will take a closer look. I think a better solution is probably to stop including all of this data in the $_GET superglobal and to store it in a cookie or something like that instead. Your fix could end up truncating the data that a user has put into a field.

Yes, my quick fix is not a good solution, i absolutely agree to this, but since i have waited 2 month without any response, i had to do something, however crude. I absolutely think that a cookie solution is the best, but since i don’t know anything about how to utilize cookies, i cant do anything but wait for you to find the time to fix this…in the mean time, i will have to endure with my quick and crude fix.

I am also having this issue. And as of 2/15/14 I do have the latest version of this plugin. It also looks like the plugin was updated since the author posted his comment, any idea if this was “fixed” in any of the updates? If not, please advise of a fix. Thanks for your help.

In version 1.1.0 of the plugin, I’ve moved these error messages to a cookie, which should fix the problem above. Marking this topic as resolved. Please let me know if you have issues with the solution.

Beautiful! It works like a charm, and it is a much better solution then my quick and dirty hack. Thanx a lot” ??