Allowing Multiple Emails

Eliana Tamerin · February 24, 2008, 10:27:56 AM

This has been a pipe dream of mine for a few years, and just recently, a friend who used to develop the SMF code told me that there was an option or way in the code to disable the check for multiple emails. I understand the security risks, I understand that users can login with their email and that this could cause confusion for the software. If you don't want the log explanation, skip below.

I run a few RPG boards on SMF. Many times the players want to play multiple characters, which is allowed under our rules. However, they have to come up with a new email for each character, and they aren't savvy enough to make each email forward to their real email. So they complain of having to check each email manually, which can become a grueling exercise if one has a few characters. The easiest way would be to simply allow players to register each character account under one email.

Ok. So, I searched through the registration source code, and I believe I found the one place where it checks the email. Unfortunately, the code is MySQL and php combined. I can typically figure out php sometimes, but not this time. So here's the code:

Code Select

		$request = db_query("
			SELECT ID_MEMBER
			FROM {$db_prefix}members
			WHERE emailAddress = '$_POST[new_email]'
			LIMIT 1", __FILE__, __LINE__);
		// !!! Separate the sprintf?
		if (mysql_num_rows($request) != 0)
			fatal_error(sprintf($txt[730], htmlspecialchars($_POST['new_email'])), false);
		mysql_free_result($request);

		updateMemberData($row['ID_MEMBER'], array('emailAddress' => "'$_POST[new_email]'"));
		$row['emailAddress'] = stripslashes($_POST['new_email']);

		$email_change = true;

Now I see a few things. Could it be that it's just as simple as setting $email_change to false? Or do I have to edit the MySQL call? Or the if statement?

I also looked through the profile, because this code also prevents unique emails.

Code Select

			$request = db_query("
				SELECT ID_MEMBER
				FROM {$db_prefix}members
				WHERE ID_MEMBER != $memID
					AND emailAddress = '$_POST[emailAddress]'
				LIMIT 1", __FILE__, __LINE__);
			if (mysql_num_rows($request) > 0)
				$post_errors[] = 'email_taken';
			mysql_free_result($request);

			$profile_vars['emailAddress'] = '\'' . $_POST['emailAddress'] . '\'';
		}

There's no easy true/false option here, so I'm guessing it would have to be something in the if statement. I can understand that the db query ($request) is going to spit out a number of mysql rows, and if there's even one, the email is obviously taken. So maybe it's just morning, but how do I trick the if statement into thinking that there are never any emails? Or can I just set the number higher, like 9? That would allow 9 accounts per email, right?

karlbenson · February 24, 2008, 10:29:20 AM

Why not just use the multiple persona mod?

Eliana Tamerin · February 24, 2008, 10:30:30 AM

I do. A new account has to be registered before it can be linked. Which kind of defeats the purpose of the entire mod. So the problem is still around.

rsw686 · February 24, 2008, 12:20:41 PM

This code below polls the database to see if an email matches and then redirect the user to an error message. I would just comment it all out, or remove it if you prefer, and you should be good to go.

Code Select


		$request = db_query("
			SELECT ID_MEMBER
			FROM {$db_prefix}members
			WHERE emailAddress = '$_POST[new_email]'
			LIMIT 1", __FILE__, __LINE__);
		// !!! Separate the sprintf?
		if (mysql_num_rows($request) != 0)
			fatal_error(sprintf($txt[730], htmlspecialchars($_POST['new_email'])), false);
		mysql_free_result($request);

Eliana Tamerin · February 24, 2008, 01:18:54 PM

I tried that. Unfortunately, it didn't work. Nor did simply changing the if statement to if (mysql_num_rows($request) > 9) or any arbitrary number like that. There must be other built-in safeguards for this.

Eliana Tamerin · February 26, 2008, 04:44:04 PM

Any other ideas? It has been a couple days since the last post, so I thought I'd refresh it so it's not forgotten. To reiterate, commenting out the code does not work, nor does changing the arguments of the if statement to only activate for results greater than 9.

Eliana Tamerin · March 06, 2008, 11:45:39 PM

Well, I wanted to bump this again to see if there was any continued thoughts on this possibility.

Bulakbol · March 12, 2008, 06:28:20 PM

There might be a javascript involved.

Eliana Tamerin · March 12, 2008, 06:43:17 PM

Either that, or there might be other checks. Not sure how javascript would play a part in the source files, I thought that was more for the template files. Karlbenson thought there might be some confusion with the ban system queries if multiple emails were used.

Bulakbol · March 12, 2008, 06:49:58 PM

Who knows. Javascript is all over the place. Unfortunately, I understand very very little about js. Karlbenson might be right.

Eliana Tamerin · March 12, 2008, 07:04:04 PM

I don't think JS would make much sense in the source files, I don't think those are even seen by the end-users except their results. But I could definitely be wrong.

Are there any other files that you've seen that might control member emails at all?

Bulakbol · March 12, 2008, 07:33:43 PM

I took a quick glance on the Register.template,.php and saw some Martian language in there (js).

rsw686 · March 16, 2008, 09:36:58 AM

The javascript code in SMF runs on the client side. So if ther registration error is returned by the server than you just need to look at the PHP source files.

Eliana Tamerin · March 16, 2008, 10:49:02 AM

Yeah, I'm going to have a dig into the source files this week. See if I can't come up with anything useful.

fwitt · March 16, 2008, 11:13:33 AM

Bit of lateral thinking here on the problem...

What about making a Custom Profile field that contains a list of characters that are played by that user, and on the in game boards have a drop down menu when the users post that lets them select which character that post is made by.

you end up with one account per person and are only editing files that there is lots of information on how to edit.

Eliana Tamerin · March 16, 2008, 11:34:57 AM

That is an alternate option, and could be done by extending karlbenson's Admins Can Post As Alternative User mod, but it's not the solution I would prefer.

I did find another instance of the code in subs-members.php on lines 678-688. So I'll make a try with all three of those source files edited and see what that does.

EDIT: Changing all three lines of

Code Select

if (mysql_num_rows($request) > 0)
or

Code Select

if (mysql_num_rows($request) != 0)

to (9 as an arbitrary number)

Code Select

if (mysql_num_rows($request) > 9)

Worked! I registered two user accounts, one through the admin registration area and one through the normal registration page. I was also able to change emails via the profile (as an admin) to the same emails in two user accounts.

I'm going to test out the ban settings, from a discussion with karlbenson, he thought there might be a problem with those.

EDIT EDIT: I tested out the ban settings by username, and that only banned the specific username, and not the other usernames that shared emails. A possible issue, but I can be satisfied with banning by email address and username, should the need ever arise to ban someone. I don't think it would, however.

Anyhow, email bans work as expected, banning both accounts.

The only errors I have in my log are failures to connect to STMP (because I'm using my localhost without internet on another computer) and subsequent failures to email on registration. And then the ban errors (banned people trying to log in, silly people!).

Overall, however, this was a success. I'm thinking of posting this in the tips and tricks boards for others who want this (as I've seen topics about it before). The only thing is, well, two things. Logging in by username will log into the first account registered to that username (the one with the lowest user ID). And banning by username will only ban that username, however the cookies stored on the computer as a result of the banning may effectively ban the other usernames unless the cookies are deleted.

Dragooon · March 16, 2008, 11:42:43 AM

Try this
in Subs-Members.php
Find

Code Select

	// Check if the email address is in use.
	$request = db_query("
		SELECT ID_MEMBER
		FROM {$db_prefix}members
		WHERE emailAddress = '$regOptions[email]'
			OR emailAddress = '$regOptions[username]'
		LIMIT 1", __FILE__, __LINE__);
	// !!! Separate the sprintf?
	if (mysql_num_rows($request) != 0)
		fatal_error(sprintf($txt[730], htmlspecialchars($regOptions['email'])), false);
	mysql_free_result($request);

And just remove it.
Make sure to backup though.

Eliana Tamerin · March 16, 2008, 12:01:34 PM

Yep, I found that. Didn't remove it, though, just tricked the system. I'm not too sure what a query like that would return (a string? an integer?) so I'm not too certain if I've imposed a limit of 9 shared accounts or just opened it up for unlimited.

Dragooon · March 16, 2008, 12:04:03 PM

You imposed a limit of 9, Removing that should not harm. Thats the whole code which checks the e-mail and doesn't passes any values, so removing it should be safe.

Eliana Tamerin · March 16, 2008, 12:20:54 PM

Sure. But also useful to know if one can impose a limit, so that if a certain site needed to have multiple accounts by the same people, but only x number of accounts, it would allow up to that number.

I think I'm going to compile a list of reasons why this shouldn't be done, so that if I put this into the tips and tricks board, I can adequately warn users of why they shouldn't use this trick.

EDIT: I did so in the first post. Grudge or an admin, could this be moved to the tips/tricks board? This would definitely help out some people.

EDIT2: I started a new topic for this instead, as per the guidelines in the Tips/Tricks board.

News:

Allowing Multiple Emails