I’m using an ASP .NET Membership database to authenticate users in a web application.
Users log in using their email addresses but something else is used in the Username field of the database.
So on the login form, I fetch my users using Membership.FindUsersByEmail
The problem is that this function uses a ‘LIKE’ in SQL and that SQL wildcards are not escaped in that method.
So using the method on, say, a_df@example.com will return the usernames for both a_df@example.com and asdf@example.com (because of the underscore being treated as a wildcard).
According to wiki, quotes, %, and a bunch of other characters are accepted in e-mail addresses.
While I could do something like
emailAddr = emailAddr.Replace("_", "[_]").Replace("%", "[%]")...
before calling Membership.FindUsersByEmail, i’m thinking that there must be a cleaner way to do this.
In a situation like this I think I would enforce that the email address had to be unique and then just get the user via MembershipProvider.GetUserNameByEmail.