On my boards I only allow one username per email address, and it's been that way for the longest time. Recently, however, I've had a troublesome user which I've had to ban. After banning him, he created another username with the same email address! After banning that, he did it again. I've now resorted to banning his IP to stop him from posting. But even then he can continue to create new usernames.

The strange thing is that I can register a new user too using his email address, and this user gets added! I've got three usernames all with the same email addresses now, and I can keep creating more.

After registering with the suspect email address, adduser.php comes back with:

Username has been registered.
Your username has been reserved. You should be receiving an email shortly with your password.

The thing that's worth noting is that the 3 usernames, their U_Email and U_RegEmail were as follows:

user1, [null], [][email protected][/]
user2, [][email protected][/], [][email protected][/]
user3, [][email protected][/], [][email protected][/]

They're all identical except for user1's Email being blank/null. I think this is the root cause of the problem.

In adduser.php, line 147, the check for multiple usernames per email address is done. The SQL statement selects U_Email from the user table, and then checks if the new user's email address matches against this. In my case, where user1 had a null entry for U_Email, the check fails (null != [][email protected])[/] and the user is allowed to register. This can go on forever.

So how should this be fixed? I'm guessing the check should be made against U_RegEmail instead of U_Email.

Any thoughts?

I tried searching the boards here, at Infopop (yuck), and the changelogs and couldn't find anything related to this problem. So I'm guessing this applies to 6.0.2 as well.

Per the Changelog for Version 6.1 (which I believe may be out sometime in August):

"Added email validation code to check for a valid email address format when a user registers."

So I think Rick is on top of this "loophole" and thus it will be fixed in the next version.

Hope that helps!

[]They're all identical except for user1's Email being blank/null. I think this is the root cause of the problem.

---

What about changing user1's email address to something that's nonblank?

If he has a static IP, then just block his IP from accessing your entire website. (If you have access to this ability on your server that is)

[]"Added email validation code to check for a valid email address format when a user registers."

---

Actually, JoshPet, I think this has more to do with checking if the email address given is valid/existing, and not just some dummy []foo@bar[/] address. In my case, the email address the user is supplying is valid and existing.

The problem is that the checking for non-multiple usernames per email account doesn't work properly. I've since changed the SQL statement to check against the RegEmail instead of just the Email field and that appears to work.

And to the others that replied, thanks, but I wasn't specifically looking for ways in blocking this person from my site (which I thought I mentioned that I managed with the IP ban), but the problem with the code is still there, and thought I'd bring it to Rick's, and everyone elses, attention.

Cheers guys.

Hmm, this is strange. That query checks agains the U_Email and the U_RegEmail field. Basically it just checks to see if it returns any rows if there is a match on either of these fields. Not real sure why this isn't working properly but I'll need to look at it closer.