SMF Development > Bug Reports

Same username is allowed in registration if letter case differs (Postgres)

(1/1)

lwiz:
New users could register the same username in our forums if they used different case in letters - for example user and User. The problem is Postgres specific I reckon and for a quick and dirty fix I changed line 970 (the SELECT under // Make sure they don't want someone else's name.) as follows:


--- Code: ---AND ') . '(LOWER(real_name) LIKE LOWER({string:check_name}) OR LOWER(member_name) LIKE LOWER({string:check_name}))
--- End code ---

As this is Postgres specific, it does have impact for a very few boards, but I deem it serious enough to report as it can be used maliciously.

-Lwiz

albertlast:
In smf 2.1 is this fix already included: https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Subs-Members.php#L914


--- Code: --- // Make sure they don't want someone else's name.
$request = $smcFunc['db_query']('', '
SELECT id_member
FROM {db_prefix}members
WHERE ' . (empty($current_ID_MEMBER) ? '' : 'id_member != {int:current_member}
AND ') . '({raw:real_name} {raw:operator} LOWER({string:check_name}) OR {raw:member_name} {raw:operator} LOWER({string:check_name}))
LIMIT 1',
array(
'real_name' => $smcFunc['db_case_sensitive'] ? 'LOWER(real_name)' : 'real_name',
'member_name' => $smcFunc['db_case_sensitive'] ? 'LOWER(member_name)' : 'member_name',
'current_member' => $current_ID_MEMBER,
'check_name' => $checkName,
'operator' => $operator,
)
);

--- End code ---

lwiz:
Does the 2.1 code apply cleanly to 2.0 or is it 2.1 specific?

albertlast:
dunno,
i only care about smf2.1 and his postgres support.

Navigation

[0] Message Index

Go to full version