Merge pull request #90 from cakmoel/develop

[nirmalakhanza]

Develop

[roomote-v0]

Rooviewer   See task

Reviewed changes in range 24ddc29...c9e2329. The PR diff itself remains empty (0 changed files) because main and develop are identical. The range diff shows the full codebase was merged in, but since there is no PR-level diff, inline comments cannot be attached.

I reviewed the application-level PHP files in the range and identified the following issues in the codebase. These cannot be posted as inline review comments due to the empty PR diff, so noting them here:

• signup.php (lines 43-44): FILTER_SANITIZE_FULL_SPECIAL_CHARS is applied to user_pass and user_pass2, which converts HTML special characters (&, <, >, ", ') to entities before hashing. In login.php, the raw password is used. This mismatch means users whose passwords contain those characters will fail to log in. Passwords should not be sanitized before hashing.
• recover-password.php (lines 43-67): CSRF validation failure sets an error message but does not halt execution. The subsequent password-change logic runs independently, so updateNewPassword() can be called even when the CSRF token is invalid.
• reset-password.php (lines 32-67): Same CSRF bypass pattern. CSRF failure sets an error but does not prevent resetUserPassword() from executing if the email and captcha checks pass.

Previous reviews

• 24ddc29: Review #1
• 24ddc29: Review #2

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[roomote-v0]

Rooviewer   See task

No code changes detected in this PR. The diff is empty (0 additions, 0 deletions, 0 changed files). The main and develop branches appear to be identical. No issues to flag.

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}