WordPress.org

Support

Support » Plugins and Hacks » [Resolved] no check against DB for existing email address when updating

[Resolved] no check against DB for existing email address when updating

  • Steve

    @stevebob70121090192

    Overall, good job, good plugin.

    One (possibly big) issue though. If an existing user goes to edit their information and they change their email address to something else there is no check in place to make sure that the newly entered email address isn’t already in the database.

    So, theoretically, if a user knew the email address of a site admin could they not gain admin access by changing the email associated with their account to one that is used by an admin?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Chad Butler

    @cbutlerjr

    That should be changed for the simple reason that we don’t want to have address collisions. But to answer your security question, no, it would not allow a non-admin user to gain administrative access.

    Steve

    @stevebob70121090192

    this is my solution to the problem

    [Code moderated as per the Forum Rules. Please use the pastebin]

    it first checks to see if the email address passed in the form is different than what is currently on file, if it is different it then checks to make sure the new email address isn’t already in use

    Plugin Author Chad Butler

    @cbutlerjr

    That’s a good solution. I would suggest not bothering to check if it’s different and just check if it exists. That way you go from doing either 1 or 2 db calls to just 1 and still accomplish the same thing (it can be changed as long as it’s not empty and doesn’t already exist).

    Also (and this is something that the registration section is being updated to), I would suggest just using the WP function email_exists. Then you could cut out a few lines by just using if ( email_exists ( $user_email ) ) {...

    Steve

    @stevebob70121090192

    thanks for the feedback

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Resolved] no check against DB for existing email address when updating’ is closed to new replies.