Accounts may be created with the same email or username as an existing account

PHSCDC / itocdc-2015-www

An insecure PHP web app for the Iowa State University 2015 IT Olympics Cyber Defense Competition (ITOCDC)

MIT License

0 stars 1 forks source link

Accounts may be created with the same email or username as an existing account #16

Closed jummy0 closed 9 years ago

jummy0 commented 9 years ago

During registration, it is never checked whether or not the username or email is already in use; register.php blindly creates a new record for the new user.

ngiddings commented 9 years ago

One of the fundamental rules of DB development is that each value in the key column must be unique. In this case, the key for each row in the user table is the user's email. SQL with naturally give errors if you attempt a non-unique email.

Usernames, on the other hand, can be unique, which creates some issues with being able to identify other members.

Passwords can obviously be unique.

ngiddings commented 9 years ago

Made a patch on the registration branch.