[ic] Blank usernames and new_account
Chris Jesseman
interchange-users@lists.akopia.com
Thu May 17 00:15:00 2001
Hi
I just had a situation on a IC 4.6.4 (based on construct) cart where the
username.counter file was set to an earlier number (by a version control
mishap) and IC was being asked to create a userid that already existed. When
customers ordered, IC created an empty username in the mysql database, which
was reused for subsequent orders where a userid was not supplied by the user.
The reuse caused a leak of some data, as described in earlier 'blank username'
incidents reported on the list. No errors are logged when the create fails.
Should there be some failsafe in new_account (or somewhere) to prevent '' from
ever being used as a username?
--
Chris Jesseman