[ic] Blank usernames and new_account

Ed LaFrance interchange-users@lists.akopia.com
Thu May 17 12:07:01 2001


At 12:17 AM 05/17/2001 -0400, you wrote:
>Hi
>
>I just had a situation on a IC 4.6.4 (based on construct) cart where the
>username.counter file was set to an earlier number (by a version control
>mishap) and IC was being asked to create a userid that already existed. When
>customers ordered, IC created an empty username in the mysql database, which
>was reused for subsequent orders where a userid was not supplied by the user.
>The reuse caused a leak of some data, as described in earlier 'blank 
>username'
>incidents reported on the list. No errors are logged when the create fails.
>
>Should there be some failsafe in new_account (or somewhere) to prevent '' 
>from
>ever being used as a username?

That auto-account creating is performed in etc/log_transaction, I 
believe.  The code could probably be expounded on to prevent your problem 
from occurring... or you might consider blowing it away.

- Ed L.


===============================================================
New Media E.M.S.               Software Solutions for Business
463 Main St., Suite D          eCommerce | Consulting | Hosting
Placerville, CA  95667         edl@newmediaems.com
(530) 622-9421                 http://www.newmediaems.com
(866) 519-4680 Toll-Free       (530) 622-9426 Fax
===============================================================