I was recently alerted to the fact that gmail email addresses are the same whether you put a "." before "@gmail.com". So "[email protected]" and "[email protected]" both send to the "[email protected]".
As a result, when users sign up on my website, I want to check that they aren't using this exploit to make multiple accounts with essentially the same email address.
I sanitize the email address they send me, log into my database with PDO and then try running this code:
$data=$db->query("SELECT REPLACE(email,'.','') AS email_without_periods FROM account_data HAVING email_without_periods LIKE '".str_replace($sanitizedEmail,".","")."'");
if($row=$data->fetch()){
//It found a match between the sanitized email without decimals and the email rows without decimals. Hey, this dude's trying to create multiple accounts!
$error="You're trying the email decimal trick! You sneaky devil... ";
}
However, this input doesn't work: it doesn't seem to register any rows.
When I replaced LIKE '".str_replace($sanitizedEmail,".","")."'" with LIKE '%".str_replace($sanitizedEmail,".","")."%'", it brought back all of the rows.
I basically want to search for str_replace($postEmail,".","") in the database, but to remove all the periods in email rows first. I'm using PDO.
How can I do this?
$sanitizedEmail? – Barmarreplace(email, ',', '')to remove them. But you're also removing the period ingmail.com, so it will becomegmailcom. – Barmar$sanitizedEmailmight be[email protected]"Basically any email address that the form gets with$_POSTand then sanitizes. – Josh Powlisonmy.emailin the form, you'll sanitize it tomyemail? – Barmar