subscribe page not checking if user already exists

Solutions for other advanced phplisters

subscribe page not checking if user already exists

Postby jsp254 » 2:25am, Tue 21 Apr, 2009

on my subscribe page it's not checking if the user already exists. instead, if i enter the info again, it updates the user.

what gives.

if i subscribe with this info:
name(at)domain.com - john - 90210 (required fields in my case)
then check the email and complete the subscription, in the users list i see this:
name(at)domain.com - john - 90210


now if i log out from the admin section and go to the subscribe page again and enter this info:
name(at)domain.com - roger - 51515
i should get a message saying the user already exists and see this if i check the users:
name(at)domain.com - john - 90210
but i'm not.

trying to resubscribe while the users already exists simply updates the existing users info. that's a potential liability waiting to happen.

if i went to the subscribe page and entered:
name(at)domain.com - imagoofyfoker - 69696
it would change the user to the above info.

that's is a good way to start problems!!!!



anyone else seen this yet
jsp254
phpLister
 
Posts: 10
Joined: 8:03am, Sun 29 Mar, 2009

Re: subscribe page not checking if user already exists

Postby Diar » 10:17am, Tue 21 Apr, 2009

Read something about it yesterday, can't be bothered to find the forum post now.

Basically the response that person was is something along the lines of:

Phplist does this so users are able to update their preferences, if you don't want the email field there, edit the phpList code so it attaches a UID to the preferences link and takes away the email entry field.

Like I said, I can't be bothered to find the forum post, but it was something like that, posted by one of the more experienced users. (If I remember correctly, it was H2B2 posting it ^^)
Diar
PL Nut
 
Posts: 24
Joined: 1:16pm, Fri 06 Mar, 2009
Location: Holland ^_^

Re: subscribe page not checking if user already exists

Postby jsp254 » 2:36pm, Tue 21 Apr, 2009

no. your missing my point. i'm not talking about the update page. i mean on the "register here for the newsletter" page.
the initial subscribe page: .../?p=subscribe&id=1

say a dad has registered with their family email address. he forgot to tell mom and she doesnt know. 4 days later, mom tries to register!!!

when she tries, it is supposed to pop up a message saying that email already exists, or already in database, or a similar message.

it's not doing that.

so when mom completes the form, it changes all of the information in the database to what ever she put in.

so next week when dad gets his newsletter, i'm refering to him as nancy or judy!!!! see the problem?
jsp254
phpLister
 
Posts: 10
Joined: 8:03am, Sun 29 Mar, 2009

Re: subscribe page not checking if user already exists

Postby Diar » 2:45pm, Tue 21 Apr, 2009

I didn't miss your point =]

I just wrote my explanation poorly.
In the other post they were actually talking about the subscription page aswell.

[Edit:] For some reason I remembered it wrong, too much info the past few weeks probably, constantly reading the forums is a bad thing :roll:

Anyways, here's the post I saw it on:
viewtopic.php?p=37424

[Edit2:] Might aswell include another link to a post, might be somewhat related to your problem aswell. :mrgreen:
viewtopic.php?p=39299
Diar
PL Nut
 
Posts: 24
Joined: 1:16pm, Fri 06 Mar, 2009
Location: Holland ^_^

Re: subscribe page not checking if user already exists

Postby CS2 » 4:09pm, Tue 21 Apr, 2009

I agree that this could be problematic. To prevent this, edit admin/subscribelib2.php. Search for the following text around line 160 (it will vary a bit depending on which version of PHPlist you're running):
Code: Select all
    # they do exist, so update the existing record
    # read the current values to compare changes


Immediately below that, add these lines:
Code: Select all
    if (isset($_GET['p']) && $_GET["p"] == "subscribe")
    {
      $msg = "A user with that email already exists.  Click <a href='".getConfig("preferencesurl").
             "'>this link</a> if you wish to update your personal information.";
      return;
    }


Basically, at the point we add the code, the script has already determined that this is an existing user. We're adding an additional check to determine if its the subscribe page. If it is, then we're informing the user that their email already exists in the database and providing them a link to the preferences page. I intentionally linked to the base preferences page without including their email or uniqid in order to force them to enter their email address again and a link to their preferences page will be emailed to them. This is a security measure against someone maliciously altering somebody else's information. However, you can make $msg be whatever you like. It will print the value of $msg to the screen and basically halt execution of the script, preventing the type of problem described by the original poster.
CS2
PL Master
 
Posts: 216
Joined: 2:20am, Wed 04 Feb, 2009

Re: subscribe page not checking if user already exists

Postby jsp254 » 8:46pm, Tue 21 Apr, 2009

OUTSTANDING!!!! that is what i needed. i looked at that section of the code over and over. the portion about the password threw me for a flip. i figured that was an area i need not mess with.

btw.... what is the area for the password below where i inserted this code? is this another option for users that i can assign, an area for future development, or something old and just not removed, or referenced from the admin section?
jsp254
phpLister
 
Posts: 10
Joined: 8:03am, Sun 29 Mar, 2009

Re: subscribe page not checking if user already exists

Postby CS2 » 8:55pm, Tue 21 Apr, 2009

There's a setting in the config.php where you can require users to enter a password and login in order to change their preferences or unsubscribe. If that setting is enabled and they enter an email in the subscribe page that's already in the database, it will require them to login.
CS2
PL Master
 
Posts: 216
Joined: 2:20am, Wed 04 Feb, 2009

Re: subscribe page not checking if user already exists

Postby amk » 3:47pm, Fri 08 May, 2009

I do not want my users to remember the password, and I consider the uid secure enough to provide the protection for their attributes.

I have applied the solution above, just used slightly updated code from below, that is normally used in case passwords are configured. And updated relevant strings in the language file.

Code: Select all
    if (isset($_GET['p']) && $_GET["p"] == "subscribe")
    {
        $msg = $GLOBALS["strUserExists"];
        $msg .= '<p>'.$GLOBALS["strUserExistsExplanationStart"].
          sprintf(' <a href="%s&email=%s">%s</a>',getConfig("preferencesurl"),$email,
          $GLOBALS["strUserExistsExplanationLink"]).
          $GLOBALS["strUserExistsExplanationEnd"];
      return;
      }


I do not like removal of the email address from link, instead addressed the underlaying problem also:
viewtopic.php?t=13525
amk
phpList newbie
 
Posts: 4
Joined: 2:37pm, Fri 08 May, 2009

Re: subscribe page not checking if user already exists

Postby AppleJack » 9:30pm, Sun 05 Jul, 2009

Thanks CS2. I'm using this mod and think it will work pretty well in most cases, however it may cause some confusion to a small fraction of users. A situation could occur when a user who does not know he is on the blacklist tries to resubscribe, because he will incorrectly receive the message that says his email address already exists and that he must use his preferences page to make changes. A better message would say he is on the Blacklist.

Ideally, I think a user on the Blacklist should get a message that says "that email address is on the Blacklist," and a user not on the Blacklist should get the message that says "that email address already exists, please use your preferences panel if you want to make changes."

--Hope this is helpful.
AppleJack
phpLister
 
Posts: 10
Joined: 12:39am, Fri 29 May, 2009

Re: subscribe page not checking if user already exists

Postby endjo » 9:48am, Sun 20 Sep, 2009

Great solution CS2, Thanks a lot. Could You please tell me if there is some way to make the text A user with that email already exists. in RED color?
endjo
PL Nut
 
Posts: 18
Joined: 6:52pm, Mon 31 Aug, 2009

Re: subscribe page not checking if user already exists

Postby H2B2 » 2:05am, Tue 02 Nov, 2010

H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006


Return to Advanced Answers, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 1 guest