- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
/f..st/
Admin
[Insert "two problems" quote here]
Admin
Am I reading this right? If I typed my email address as ".@.", could I have logged in as anybody?
Admin
Admin
You'd probably still needed the right password though
Admin
a right password...
Admin
Admin
I was expecting the callback saying that no logins were working due to their storage of the previously regex'd email address as a key.
Admin
TRWTF is using regular expression to check email (which is used as username), which exact match is obviously expected. Why not using simple equality comparision?
Admin
Strictly speaking [email protected] and [email protected] are different address. Almost every mail delivery agent I have ever worked with treats them as the same but the specifications really do call for treating the mailbox part of the address as a label; and the MTAs largely get it right.
Using a simple equality check where e-mail address are being utilized as user names is probably the most correct because when both [email protected] and [email protected] try and sign up for your service they are going to be very frustrated, but then if you don't at least ucase() when the thousands [email protected] type address users attempt to login as [email protected] they are going to be similar frustrated. Wrong though they may be, their numbers are greater; so when management gets the "bug" reports they are going to win.
All in all regex is probably not the way to do it but you do need to tolerate some address mugging.
Admin
That and "Wait, no, I want it back!" she said. "I make so many typos using that form, it was saving me so much time!"
Admin
If only there was a way to check for string equality without case-sensitivity in .Net...
Admin
To add complication, user@example and [email protected] is equal - the domain part is case non-sensitive.
According to RFC, DNS is case-insensitive...
Admin
case non-sensitive -> case-insensitive...
Admin
Just convert both strings to all upper/lower case and check...
Admin
Just convert both strings to all upper/lower case and check...
Admin
Nice one, that one... hmmm... will Google Mail and others treat betty.booth and betty_booth as two different accounts, or will they stick to just one allowed separator?
Admin
Admin
And fail here means support call, your code passed lots of tests but doesn't work in production!
Admin
Admin
Most probably as the first user in the database which matches your password-hash
Admin
Admin
I believe his point was their IS a way of ignoring case in .net... StringComparison.InvariantCultureIgnoreCase
Admin
Not to mention <snarky_tech>"Then I suggest you make a second account," he said, "with an address you can actually type."</snarky_tech>
Admin
Why would you SQL escape what is obviously a MongoDB query?
Admin
And on the question of distinctness of email addresses, don't forget that the hypothetical addresses [email protected], [email protected], and even [email protected] are all the same even if they look different. (GMail has a substantial quantity of WTFs, and this is just one of them. Most parts of the GUI are epically WTF, as is their policy of dropping parts that actually work in favour of "simplifications" that make it harder to use. Like when they dropped a perfectly normal scroll bar on the "contacts" pane in favour of one that appears only when (i) the number of contacts warrants a scroll bar(*) and simultaneously (ii) the cursor is over the contacts pane. So until you point the cursor at the contacts pane, you think half your contacts are missing.
(*) Scroll bars that disappear completely when there isn't a scrollable amount of stuff are a minor WTF in themselves because you cannot tell that the application/webpage/whatever allows more stuff than that. Compared to the onhover appearance not-onhover disappearance of GMail's scrollbars, however it's nothing more than a minor nuisance. Windows 8's never-marked hot corners are worse, however.
Admin
It's a good thing their registration system probably rejected email addresses with "+" in them.
No wait, I mean the opposite. It's a terrible thing that their registration system probably rejected perfectly valid email addresses like so many others do.
Admin
Admin
You´d need the right password since account name and passwords are paired
Admin
Because of Turkish uppercase 'i' ?
so string.toLowerCase() then?
There I fixed it.
Admin
Gmail will treat betty_booth as a different address, but bettybooth == betty.booth == b.e.t.t.y.b.o.o.t.h.
That is, dots are ignored.
Admin
GMail ignores periods and capitalization for the local part (not to mention anything after the plus symbol); However, most other Google applications treat periods as significant characters.
Admin
TRWTF is that some of the commenters still think it is OK to "validate" email addresses.
It hasn't been OK, nor has it been POSSIBLE, to "validate" email addresses for a decade, why are you still trying?
Admin
Utter bollocks, email addresses are trivial to validate.
Moron
Admin
Maybe company in question is Google and as you know gmail has this little feature regarding + character (and I'm not talking about G+)
Admin
uh, isn't Antoine a man's name?
(Captcha: "transverbero" ... appropriate)
Admin
And presumably by "validate" you mean "decide by inspection that it has syntactic correctness". It is possible to do this, but (i) not worth the effort compared to just sending a email with an "activate" link and (ii) not as functional as just sending that email.
Sending that email to the putative address confirms that not only does the address match syntactic correctness (or at least sufficiency) but also that it is for the right mailbox. In effect, it guards against fumble-fingered pebkac (and other) users and malicious hofnofs who type in other people's email addresses to subscribe them to nasty stuff.
There are reasons, by the way, why the activation link should have a reasonably long expiry time (measured in hours, maybe up to a couple of days), mostly related to signups where the user doesn't have easy access to e.g. a work email account while he is not in the office, or an ISP-hosted email account while he is in the office.
Admin
dammit, ignore - the customer's the one doing the talking
Admin
Admin
I thought for sure the WTF was going to be that they were using LIKE in their database query causing the underscore in the correct email to act like a wildcard. Silly me - instead they made the . act like a wildcard by unnecessarily introducing regular expressions. Obviously I'm not thinking big enough with these WTFs.
Admin
The WTFness of this article is healthy.
I like the way TDWTF is going this last couple of weeks - it was getting pretty bad beforehand with the not-so-wtfs remixed into sensationalism-and-not-so-wtfs.
Captcha: populus (n) - A sexually-transmitted infection caught by listening to annoying music, drinking fizzy drinks and spending the night with a girl who was designated 'popular' at highschool - in that exact order.
Admin
VALIDATION is determining that it is possible for an address to exist. It is impossible to validate an email address, especially when dealing with Unicode addresses. You have no way to know what characters the target domain may or may not allow in the Local.
VERIFICATION is determining that the email address is accurate. It is impossible to determine that an email address is accurate without human intervention, such as a verification link. You have no way to know what processing the target domain may perform on incoming mail.
Admin
Except that it's not all that hard to hijack the recipient email address in many cases. Some enterprising fellow grabbed some yahoo-mail addresses which had been allowed to expire, BUT which were still the "backup verification" address and semi-abandoned secondary sites. By getting the old "forgot my password" message emailed to the yahoo addresses, he took over other domain accesses from the true owner.
Admin
Oh, come on. It can't be much harder than parsing HTML with a regex. Just give it a try.
Admin
Personally on the client side I just check for the @, a length > 3 characters, and at least 1 character on each side of the @. It may not be 100% foolproof but works in every case I've come across.
Admin
(IOW you check for /.@..|..@./ -- why not just /.@./ then?)
Admin
Admin
Admin
That was a fun read. On a similar tack, there is "Falsehoods Programmers Believe About Names" at [url=http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/].
Sincerely,
Gene Wirchenko
Admin
Which of the standards? The outdated ASCII standard, or the current Unicode one? I've never encountered a validation that even works for the first one, which is ridiculously simple, let alone the second, which is geometrically more difficult.