Hi,
I downloaded a freeware login script, but have some issues with major security flaws and bugs. One thing I?ve noticed is that it?s not verifying the user names are unique when people register. I?ve tracked the problem down to the following lines of code:
$sql = "SELECT username FROM ".$prefix."_users WHERE username='$HTTP_POST_VARS[username]'";
$result = $db->query($sql);
$sql2 = "SELECT email FROM ".$prefix."_users WHERE email='$HTTP_POST_VARS[email]'";
$result2 = $db->query($sql2);
$num = $db->num($result);
$num2 = $db->num($result2);
if(($num > 0) || ($num2 > 0)) {
if($num > 0) {
$display .= "<font class="text">That username is already taken. Please choose another one</font><br />";
unset($HTTP_POST_VARS['username']);
}
if($num2 > 0) {
$display .= "<font class="text">That email address is already in use. If you've already registerd, and forgot your password, please use the <a href="forgot.php">Password Recovery</a> system.</font><br />";
unset($HTTP_POST_VARS['email']);
}
}
If I try to register with a different user name, but the same email address as an existing user, I enter both the if($num2 > 0) AND if ($num > 0) cases. But if I try to register with just the same user name as an existing user, but a unique email address, neither case matches.
Unfortunately my knowledge of PHP and SQL databases is severally lacking, and nothing is immediately obvious to me what?s wrong, or even where to start looking.
Any ideas would be greatly appreciated.