I figured out that you can use emails like abc@abc when you order an article anonymously. Maybe that isn't a bug but for me it makes no sense it's only a risk for security.
email validation during anonymous order
Submitted by typhos on Wed, 09/03/2008 - 10:39
|
|
I'm not sure what kind of security risk results from an email address that doesn't work. Also, trying to validate email addresses properly isn't worth the hassle. There are so many edge cases that the regular expression that actually accounts for all of them is dozens of lines long.
I think it is not very useful to have registered users with an invalid email address. It would be a mess to have such users (maybe hundreds) and the corresponding orders which are all fake.
Did you try that e-mail address? I run the customer's entry through the Drupal func valid_email_address() in the code.
Yes I tried it with my own instance of ubercart using drupal 5.10 .
I gotcha. I would've assumed Drupal's validation function would catch that, but I don't have much interest in extending the validation they provide. See http://api.drupal.org/api/function/valid_email_address/5 for the code used in Drupal core.
I don't think we can really rate this higher than any other sort of identification goofs. Someone could just as easily give you a fake name as they can a fake e-mail address. In the end they're only hurting themselves if they give you money but no way for you to contact them. Just make sure you don't send products to anyone you're not comfortable with... especially if they haven't paid you. 
|
|
Joined: 09/03/2008