On my boards I only allow one username per email address, and it's been that way for the longest time. Recently, however, I've had a troublesome user which I've had to ban. After banning him, he created another username with the same email address! After banning that, he did it again. I've now resorted to banning his IP to stop him from posting. But even then he can continue to create new usernames.
The strange thing is that I can register a new user too using his email address, and this user gets added! I've got three usernames all with the same email addresses now, and I can keep creating more.
After registering with the suspect email address, adduser.php comes back with:
Username has been registered.Your username has been reserved. You should be receiving an email shortly with your password.
The thing that's worth noting is that the 3 usernames, their U_Email and U_RegEmail were as follows:
user1, [null], []
[email protected][/]
user2, []
[email protected][/], []
[email protected][/]
user3, []
[email protected][/], []
[email protected][/]
They're all identical except for user1's Email being blank/null. I think this is the root cause of the problem.
In adduser.php, line 147, the check for multiple usernames per email address is done. The SQL statement selects U_Email from the user table, and then checks if the new user's email address matches against this. In my case, where user1 had a null entry for U_Email, the check fails (null != []
[email protected])[/] and the user is allowed to register. This can go on forever.
So how should this be fixed? I'm guessing the check should be made against U_RegEmail instead of U_Email.
Any thoughts?
I tried searching the boards here, at Infopop (yuck), and the changelogs and couldn't find anything related to this problem. So I'm guessing this applies to 6.0.2 as well.