Thanks for the heads up on this request for support.
Everything in a Pro Form is validated extensively both client-side and server-side, except for Custom Registration/Profile Fields implemented by a site owner. These are handled via JavaScript only.
The validation of a Custom Registration/Profile Field, is based entirely on the way it’s configured by the site owner whenever they create a Custom Registration/Profile Field in the Dashboard. For example, a site owner can choose to require numerics only, or a specific number of characters, an email address, phone number, etc, etc.. Many options are available under: General Options -> Custom Registration/Profile Fields.
However, the routine within s2Member’s source code, which handles the required validation scan (i.e. based on the field’s configuration by the site owner), was written in JavaScript only, and is not yet implemented server-side. Therefore, it IS still possible for a customer to bypass certain Custom Registration/Profile Field requirements, if they bypass JavaScript. Not a common issue, but possible in cases where hackers are actually trying to bypass them, or possible on a site that’s hosting Pro Forms, which is broken in some way (e.g. JavaScript errors in other areas of the site, which might prevent s2Member Pro Forms from working as expected).
Again, not a common issue, but possible.
This will be corrected in a future release, because the validation routines are being written in PHP as well, and they’ll be integrated into the PHP form handler on the server-side too.
In the mean time, a site owner could implement their own validation routines on the server-side if they’d like.
Here’s a hack file example, for PayPal Pro Forms:
/wp-content/mu-plugins/s2-hacks.php
( these are MUST USE plugins, see: http://codex.wordpress.org/Must_Use_Plugins )
<?php
add_action("init", "my_custom_validator", 1);
function my_custom_validator()
{
if(!empty($_POST["s2member_pro_paypal_checkout"]["nonce"]))
{
$custom_fields = stripslashes_deep($_POST["s2member_pro_paypal_checkout"]["custom_fields"]);
$response = &$GLOBALS["ws_plugin__s2member_pro_paypal_checkout_response"];
if(empty($custom_fields["my_unique_field_id"])) // This custom field is missing?
{
// Set the error response message for s2Member to display.
$response["error"] = TRUE;
$response["response"] = "Custom Field ID `my_unique_field_id` is missing. Please try again.";
// Unset this variable to prevent Pro Form processing during checkout.
unset($_POST["s2member_pro_paypal_checkout"]["nonce"]);
}
}
}
?>
Here’s another example for Authorize.Net Pro Forms.
<?php
add_action("init", "my_custom_validator", 1);
function my_custom_validator()
{
if(!empty($_POST["s2member_pro_authnet_checkout"]["nonce"]))
{
$custom_fields = stripslashes_deep($_POST["s2member_pro_authnet_checkout"]["custom_fields"]);
$response = &$GLOBALS["ws_plugin__s2member_pro_authnet_checkout_response"];
if(empty($custom_fields["my_unique_field_id"])) // This custom field is missing?
{
// Set the error response message for s2Member to display.
$response["error"] = TRUE;
$response["response"] = "Custom Field ID `my_unique_field_id` is missing. Please try again.";
// Unset this variable to prevent Pro Form processing during checkout.
unset($_POST["s2member_pro_authnet_checkout"]["nonce"]);
}
}
}
?>