Allowing Multiple Emails

Started by Eliana Tamerin, February 24, 2008, 10:27:56 AM

Previous topic - Next topic

Eliana Tamerin

This has been a pipe dream of mine for a few years, and just recently, a friend who used to develop the SMF code told me that there was an option or way in the code to disable the check for multiple emails. I understand the security risks, I understand that users can login with their email and that this could cause confusion for the software. If you don't want the log explanation, skip below.

I run a few RPG boards on SMF. Many times the players want to play multiple characters, which is allowed under our rules. However, they have to come up with a new email for each character, and they aren't savvy enough to make each email forward to their real email. So they complain of having to check each email manually, which can become a grueling exercise if one has a few characters. The easiest way would be to simply allow players to register each character account under one email.

Ok. So, I searched through the registration source code, and I believe I found the one place where it checks the email. Unfortunately, the code is MySQL and php combined. I can typically figure out php sometimes, but not this time. So here's the code:

$request = db_query("
SELECT ID_MEMBER
FROM {$db_prefix}members
WHERE emailAddress = '$_POST[new_email]'
LIMIT 1", __FILE__, __LINE__);
// !!! Separate the sprintf?
if (mysql_num_rows($request) != 0)
fatal_error(sprintf($txt[730], htmlspecialchars($_POST['new_email'])), false);
mysql_free_result($request);

updateMemberData($row['ID_MEMBER'], array('emailAddress' => "'$_POST[new_email]'"));
$row['emailAddress'] = stripslashes($_POST['new_email']);

$email_change = true;


Now I see a few things. Could it be that it's just as simple as setting $email_change to false? Or do I have to edit the MySQL call? Or the if statement?

I also looked through the profile, because this code also prevents unique emails.

$request = db_query("
SELECT ID_MEMBER
FROM {$db_prefix}members
WHERE ID_MEMBER != $memID
AND emailAddress = '$_POST[emailAddress]'
LIMIT 1", __FILE__, __LINE__);
if (mysql_num_rows($request) > 0)
$post_errors[] = 'email_taken';
mysql_free_result($request);

$profile_vars['emailAddress'] = '\'' . $_POST['emailAddress'] . '\'';
}


There's no easy true/false option here, so I'm guessing it would have to be something in the if statement. I can understand that the db query ($request) is going to spit out a number of mysql rows, and if there's even one, the email is obviously taken. So maybe it's just morning, but how do I trick the if statement into thinking that there are never any emails? Or can I just set the number higher, like 9? That would allow 9 accounts per email, right?
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

karlbenson

Why not just use the multiple persona mod?

Eliana Tamerin

I do. A new account has to be registered before it can be linked. Which kind of defeats the purpose of the entire mod. So the problem is still around.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

rsw686

This code below polls the database to see if an email matches and then redirect the user to an error message. I would just comment it all out, or remove it if you prefer, and you should be good to go.


$request = db_query("
SELECT ID_MEMBER
FROM {$db_prefix}members
WHERE emailAddress = '$_POST[new_email]'
LIMIT 1", __FILE__, __LINE__);
// !!! Separate the sprintf?
if (mysql_num_rows($request) != 0)
fatal_error(sprintf($txt[730], htmlspecialchars($_POST['new_email'])), false);
mysql_free_result($request);
The Reptile File
Everything reptile for anyone reptile friendly

Aquaria Talk
Community for freshwater and saltwater aquariums enthusiasts

Eliana Tamerin

I tried that. Unfortunately, it didn't work. Nor did simply changing the if statement to if (mysql_num_rows($request) > 9) or any arbitrary number like that. There must be other built-in safeguards for this.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

Eliana Tamerin

Any other ideas? It has been a couple days since the last post, so I thought I'd refresh it so it's not forgotten. To reiterate, commenting out the code does not work, nor does changing the arguments of the if statement to only activate for results greater than 9.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

Eliana Tamerin

Well, I wanted to bump this again to see if there was any continued thoughts on this possibility.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

Bulakbol

There might be a javascript involved.
Please do not PM me for support · My Mods and Theme · SMF Coding Guidelines · Modifications Approval Guidelines

Eliana Tamerin

Either that, or there might be other checks. Not sure how javascript would play a part in the source files, I thought that was more for the template files. Karlbenson thought there might be some confusion with the ban system queries if multiple emails were used.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

Bulakbol

Who knows. Javascript is all over the place. Unfortunately, I understand very very little about js.  Karlbenson might be right.
Please do not PM me for support · My Mods and Theme · SMF Coding Guidelines · Modifications Approval Guidelines

Eliana Tamerin

I don't think JS would make much sense in the source files, I don't think those are even seen by the end-users except their results. But I could definitely be wrong.

Are there any other files that you've seen that might control member emails at all?
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

Bulakbol

I took a quick glance on the Register.template,.php and saw some Martian language in there (js).  :P
Please do not PM me for support · My Mods and Theme · SMF Coding Guidelines · Modifications Approval Guidelines

rsw686

The javascript code in SMF runs on the client side. So if ther registration error is returned by the server than you just need to look at the PHP source files.
The Reptile File
Everything reptile for anyone reptile friendly

Aquaria Talk
Community for freshwater and saltwater aquariums enthusiasts

Eliana Tamerin

Yeah, I'm going to have a dig into the source files this week. See if I can't come up with anything useful.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

fwitt

Bit of lateral thinking here on the problem...

What about making a Custom Profile field that contains a list of characters that are played by that user, and on the in game boards have a drop down menu when the users post that lets them select which character that post is made by.

you end up with one account per person and are only editing files that there is lots of information on how to edit.

Eliana Tamerin

#15
That is an alternate option, and could be done by extending karlbenson's Admins Can Post As Alternative User mod, but it's not the solution I would prefer.

I did find another instance of the code in subs-members.php on lines 678-688. So I'll make a try with all three of those source files edited and see what that does.

EDIT: Changing all three lines of

if (mysql_num_rows($request) > 0)
or
if (mysql_num_rows($request) != 0)

to (9 as an arbitrary number)
if (mysql_num_rows($request) > 9)

Worked! I registered two user accounts, one through the admin registration area and one through the normal registration page. I was also able to change emails via the profile (as an admin) to the same emails in two user accounts.

I'm going to test out the ban settings, from a discussion with karlbenson, he thought there might be a problem with those.

EDIT EDIT: I tested out the ban settings by username, and that only banned the specific username, and not the other usernames that shared emails. A possible issue, but I can be satisfied with banning by email address and username, should the need ever arise to ban someone. I don't think it would, however.

Anyhow, email bans work as expected, banning both accounts.

The only errors I have in my log are failures to connect to STMP (because I'm using my localhost without internet on another computer) and subsequent failures to email on registration. And then the ban errors (banned people trying to log in, silly people!).

Overall, however, this was a success. I'm thinking of posting this in the tips and tricks boards for others who want this (as I've seen topics about it before). The only thing is, well, two things. Logging in by username will log into the first account registered to that username (the one with the lowest user ID). And banning by username will only ban that username, however the cookies stored on the computer as a result of the banning may effectively ban the other usernames unless the cookies are deleted.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

Dragooon

Try this
in Subs-Members.php
Find
// Check if the email address is in use.
$request = db_query("
SELECT ID_MEMBER
FROM {$db_prefix}members
WHERE emailAddress = '$regOptions[email]'
OR emailAddress = '$regOptions[username]'
LIMIT 1", __FILE__, __LINE__);
// !!! Separate the sprintf?
if (mysql_num_rows($request) != 0)
fatal_error(sprintf($txt[730], htmlspecialchars($regOptions['email'])), false);
mysql_free_result($request);

And just remove it.
Make sure to backup though.

Eliana Tamerin

Yep, I found that. Didn't remove it, though, just tricked the system. I'm not too sure what a query like that would return (a string? an integer?) so I'm not too certain if I've imposed a limit of 9 shared accounts or just opened it up for unlimited.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

Dragooon

You imposed a limit of 9, Removing that should not harm. Thats the whole code which checks the e-mail and doesn't passes any values, so removing it should be safe.

Eliana Tamerin

#19
Sure. But also useful to know if one can impose a limit, so that if a certain site needed to have multiple accounts by the same people, but only x number of accounts, it would allow up to that number.

I think I'm going to compile a list of reasons why this shouldn't be done, so that if I put this into the tips and tricks board, I can adequately warn users of why they shouldn't use this trick.

EDIT: I did so in the first post. Grudge or an admin, could this be moved to the tips/tricks board? This would definitely help out some people.

EDIT2: I started a new topic for this instead, as per the guidelines in the Tips/Tricks board.
Do NOT PM me for support.

SimplePortal 2.3.6 is OUT!
SimplePortal Project Manager
Download | Docs
SimplePortal: Power of Simplicity!

Advertisement: