Discuss mailing list

[Martin C <martin AT mchomenet.com>]

> A side note about the confirmation mails: maybe you should check if the
> username that's being confirmed actually exists?
> if i enter confirm.php?username=whateveriwant, it says the username has
> been registered...
This is why I am having a public test, to get others to try it out and 
go through scenarios that I might not have thought of.

> I don't know what kind of checks you have, but it is at the very least
> bad practice to say a username that hasn't been requested is registered.
I have not heard of that particular practice myself, so I'll take your 
word for it. I figured users would only try to activate accounts that 
they themselves have registered. At most, it gets some spammers hopes up 
until they realise they need to register and confirm a real account 
before they can do anything.

But I'll implement some error checking in the next revision to fix this.

> at the very worst, you could end up with a hell of a lot of database
> pollution.
Nothing is changed within the database if you try to confirm a username 
that doesn't actually exist in there yet.

If you are referring to database accesses, then it only does one at the 
moment, rather than the two it would need to verify the username and 
then activate the account.

> logging in obviously doesnt work as there's no password for the user,
> and i'm assuming your script checks empty passwords, so that's good :)
At the user registration page it says all fields must be at least 5 
characters long, this check is done twice. The software will definitely 
not allow a non-existent user account to be activated and then permit 
them an empty or NULL password, otherwise yes, the database would get 
pollution. That would be A Bad Thing (tm).

Thanks for giving it a look-see. I'll implement the check for a 
non-existent account this morning. Good catch.

Martin.