Akopia Akopia Services
[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

[ic] Blank usernames and new_account

Hi

I just had a situation on a IC 4.6.4 (based on construct) cart where the 
username.counter file was set to an earlier number (by a version control 
mishap) and IC was being asked to create a userid that already existed. When 
customers ordered, IC created an empty username in the mysql database, which 
was reused for subsequent orders where a userid was not supplied by the user. 
The reuse caused a leak of some data, as described in earlier 'blank username' 
incidents reported on the list. No errors are logged when the create fails. 

Should there be some failsafe in new_account (or somewhere) to prevent '' from 
ever being used as a username?

-- 
Chris Jesseman



_______________________________________________
Interchange-users mailing list
Interchange-users@lists.akopia.com
http://lists.akopia.com/mailman/listinfo/interchange-users
Search for: Match: Format: Sort by: