diff --git a/html/account/index.php b/html/account/index.php
index ed76a92f..278163e5 100644
--- a/html/account/index.php
+++ b/html/account/index.php
@@ -85,8 +85,8 @@ if (isset($_POST['userDisplayName']) && isset($_POST['userBio'])) {
if(preg_match('!\S!u', $_POST['userDisplayName']) && preg_match('!\S!u', $_POST['userBio'])) {
$sqlRequest = "UPDATE users SET display_name = :userDisplayName, bio = :userBio WHERE ID = :userID";
$request = $pdo->prepare($sqlRequest);
- $request->bindParam(":userDisplayName", htmlspecialchars($_POST['userDisplayName']));
- $request->bindParam(":userBio", htmlspecialchars($_POST['userBio']));
+ $request->bindParam(":userDisplayName", htmlspecialchars(substr($_POST['userDisplayName'], 0, 20)));
+ $request->bindParam(":userBio", htmlspecialchars(substr($_POST['userBio'], 200)));
$request->bindParam(":userID", $_SESSION['userID']);
if($request->execute()) {
$status = "Informations mises à jour";
diff --git a/html/login/register.php b/html/login/register.php
index 49cc1458..746b411e 100644
--- a/html/login/register.php
+++ b/html/login/register.php
@@ -17,12 +17,12 @@ if (isset($_POST['username']) && isset($_POST['password1']) && isset($_POST['pas
$status = "Caractères illégaux";
} else {
$userEmail = isset($_POST['email']) ? strtolower($_POST['email']) : NULL;
- $userDisplayName = htmlspecialchars($_POST['username']);
- $userName = str_replace(" ", "_", strtolower(htmlspecialchars($_POST['username'])));
+ $userDisplayName = htmlspecialchars(substr($_POST['username']));
+ $userName = str_replace(" ", "_", strtolower(htmlspecialchars(substr($_POST['username'], 0, 20))));
$sqlRequest = "SELECT ID FROM users WHERE username = :username";
$request = $pdo->prepare($sqlRequest);
- $request->bindParam(":username", htmlspecialchars($_POST['username']));
+ $request->bindParam(":username", $userName);
$request->execute();
$result = $request->fetchAll(PDO::FETCH_ASSOC);
diff --git a/html/settings/index.php b/html/settings/index.php
index 16ba4470..9bb13920 100644
--- a/html/settings/index.php
+++ b/html/settings/index.php
@@ -13,7 +13,7 @@ if (isset($_POST['username']) && isset($_POST['email'])) {
if(preg_match('!\S!u', $_POST['username']) && preg_match('!\S!u', $_POST['email'])) {
$sqlRequest = "SELECT ID FROM users WHERE username = :username";
$request = $pdo->prepare($sqlRequest);
- $request->bindParam(":username", htmlspecialchars($_POST['username']));
+ $request->bindParam(":username", htmlspecialchars(substr($_POST['username'], 0, 20)));
$request->execute();
$result = $request->fetchAll(PDO::FETCH_ASSOC);
if($result && $result[0]['ID'] != $_SESSION['userID']) {
@@ -21,7 +21,7 @@ if (isset($_POST['username']) && isset($_POST['email'])) {
} else {
$sqlRequest = "UPDATE users SET username = :username, email = :email WHERE ID = :userID";
$request = $pdo->prepare($sqlRequest);
- $request->bindParam(":username", htmlspecialchars($_POST['username']));
+ $request->bindParam(":username", htmlspecialchars(substr($_POST['username'], 0, 20)));
$request->bindParam(":email", htmlspecialchars($_POST['email']));
$request->bindParam(":userID", $_SESSION['userID']);
if($request->execute()) {