Previous Thread
Next Thread
Print Thread
Rate Thread
Joined: Sep 1999
Posts: 76
Power User
Power User
Offline
Joined: Sep 1999
Posts: 76
On my boards I only allow one username per email address, and it's been that way for the longest time. Recently, however, I've had a troublesome user which I've had to ban. After banning him, he created another username with the same email address! After banning that, he did it again. I've now resorted to banning his IP to stop him from posting. But even then he can continue to create new usernames.

The strange thing is that I can register a new user too using his email address, and this user gets added! I've got three usernames all with the same email addresses now, and I can keep creating more.

After registering with the suspect email address, adduser.php comes back with:

Username has been registered.
Your username has been reserved. You should be receiving an email shortly with your password.

The thing that's worth noting is that the 3 usernames, their U_Email and U_RegEmail were as follows:

user1, [null], [][email protected][/]
user2, [][email protected][/], [][email protected][/]
user3, [][email protected][/], [][email protected][/]

They're all identical except for user1's Email being blank/null. I think this is the root cause of the problem.

In adduser.php, line 147, the check for multiple usernames per email address is done. The SQL statement selects U_Email from the user table, and then checks if the new user's email address matches against this. In my case, where user1 had a null entry for U_Email, the check fails (null != [][email protected])[/] and the user is allowed to register. This can go on forever.

So how should this be fixed? I'm guessing the check should be made against U_RegEmail instead of U_Email.

Any thoughts?

I tried searching the boards here, at Infopop (yuck), and the changelogs and couldn't find anything related to this problem. So I'm guessing this applies to 6.0.2 as well.

Sponsored Links
Joined: Nov 2001
Posts: 10,369
I type Like navaho
I type Like navaho
Joined: Nov 2001
Posts: 10,369
Per the Changelog for Version 6.1 (which I believe may be out sometime in August):

"Added email validation code to check for a valid email address format when a user registers."

So I think Rick is on top of this "loophole" and thus it will be fixed in the next version.

Hope that helps!

Joined: Apr 2002
Posts: 1,768
Addict
Addict
Offline
Joined: Apr 2002
Posts: 1,768
[]They're all identical except for user1's Email being blank/null. I think this is the root cause of the problem.


What about changing user1's email address to something that's nonblank?

Joined: Jun 2002
Posts: 375
Enthusiast
Enthusiast
Offline
Joined: Jun 2002
Posts: 375
If he has a static IP, then just block his IP from accessing your entire website. (If you have access to this ability on your server that is)

Joined: Sep 1999
Posts: 76
Power User
Power User
Offline
Joined: Sep 1999
Posts: 76
[]"Added email validation code to check for a valid email address format when a user registers."


Actually, JoshPet, I think this has more to do with checking if the email address given is valid/existing, and not just some dummy []foo@bar[/] address. In my case, the email address the user is supplying is valid and existing.

The problem is that the checking for non-multiple usernames per email account doesn't work properly. I've since changed the SQL statement to check against the RegEmail instead of just the Email field and that appears to work.

And to the others that replied, thanks, but I wasn't specifically looking for ways in blocking this person from my site (which I thought I mentioned that I managed with the IP ban), but the problem with the code is still there, and thought I'd bring it to Rick's, and everyone elses, attention.

Cheers guys.

Sponsored Links
Joined: May 1999
Posts: 3,039
Guru
Guru
Offline
Joined: May 1999
Posts: 3,039
Hmm, this is strange. That query checks agains the U_Email and the U_RegEmail field. Basically it just checks to see if it returns any rows if there is a match on either of these fields. Not real sure why this isn't working properly but I'll need to look at it closer.


UBB.threads Developer

Link Copied to Clipboard
Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with and recommend the following Web Hosts:
Stable Host
bluehost
InterServer
Visit us on Facebook
Member Spotlight
isaac
isaac
California
Posts: 1,157
Joined: July 2001
Forum Statistics
Forums63
Topics37,573
Posts293,925
Members13,849
Most Online5,166
Sep 15th, 2019
Today's Statistics
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
Top Posters
AllenAyres 21,079
JoshPet 10,369
LK 7,394
Lord Dexter 6,708
Gizmo 5,833
Greg Hard 4,625
Top Posters(30 Days)
Top Likes Received
isaac 82
Gizmo 20
Brett 7
WebGuy 2
Top Likes Received (30 Days)
None yet
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2024 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20221218)