Same username is allowed in registration if letter case differs (Postgres)

[lwiz]

New users could register the same username in our forums if they used different case in letters - for example user and User. The problem is Postgres specific I reckon and for a quick and dirty fix I changed line 970 (the SELECT under // Make sure they don't want someone else's name.) as follows:

Code Select Expand

AND ') . '(LOWER(real_name) LIKE LOWER({string:check_name}) OR LOWER(member_name) LIKE LOWER({string:check_name}))

As this is Postgres specific, it does have impact for a very few boards, but I deem it serious enough to report as it can be used maliciously.

-Lwiz

[albertlast]

In smf 2.1 is this fix already included: https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Subs-Members.php#L914

Code Select Expand


// Make sure they don't want someone else's name.
$request = $smcFunc['db_query']('', '
SELECT id_member
FROM {db_prefix}members
WHERE ' . (empty($current_ID_MEMBER) ? '' : 'id_member != {int:current_member}
AND ') . '({raw:real_name} {raw:operator} LOWER({string:check_name}) OR {raw:member_name} {raw:operator} LOWER({string:check_name}))
LIMIT 1',
array(
'real_name' => $smcFunc['db_case_sensitive'] ? 'LOWER(real_name)' : 'real_name',
'member_name' => $smcFunc['db_case_sensitive'] ? 'LOWER(member_name)' : 'member_name',
'current_member' => $current_ID_MEMBER,
'check_name' => $checkName,
'operator' => $operator,
)
);


[lwiz]

Does the 2.1 code apply cleanly to 2.0 or is it 2.1 specific?

[albertlast]

dunno,
i only care about smf2.1 and his postgres support.