I am using the ASP.NET Membership database to authenticate users in a web application.
Users register using their email addresses, but something else is used in the Username field in the database.
So, in the login form, I log out my users using Membership.FindUsersByEmail
The problem is that this function uses LIKE in SQL and that SQL masks are not performed in this method.
Thus, using the method, say, a_df@example.com , will return usernames for both a_df@example.com and asdf@example.com (due to the fact that the underscore is treated as a wildcard).
In accordance with the wiki, quotes,% and several other characters are accepted at email addresses.
While I could do something like
emailAddr = emailAddr.Replace("_", "[_]").Replace("%", "[%]")...
before calling Memberhip.FindUsersByEmail, I think there should be a cleaner way to do this.
source share