Forgot password fails if there is a space before the e-mail address #42374
Description
Steps to reproduce the issue
Any Joomla 3, 4 or 5 site. Use the password reset funktion in site/frontend.
- Insert your e-mail address in the form and add a space at the beginning. E.g. " [email protected]". You will receive no e-mail.
- Insert your e-mail address correct in the form and submit. In the e-mail, click on the link and your browser shows the second step with the code filled. Now insert your e-mail address in the form as in 1., with the space at the beginning. If you submit the form you get a notice that the user ist not found.
If you add the space at the end, then you receive the Mail and you can reset the password as expected.
Expected result
- receive the e-mail
- show next step to set Password.
Actual result
User not found. No E-mail is send or in step #2 you can't reset your password because User not found
System information (as much as possible)
Testet with Joomla 3.10.12, Joomla! 3.10.13-elts , Joomla! 4.4 and Joomla! 5.0
PHP 8.1
MySQL 5.7 (J3+J4) (mamp)
MariaDB 11.1.2 (J5)
Additional comments
It seems that the space is not removed and the input is passed on to the database. This results in a SQL query like
SELECT * FROM #__users WHERE LOWER(email) = LOWER(" [email protected]")
If you add the space at the end you get
SELECT * FROM #__users WHERE LOWER(email) = LOWER("[email protected] ")
The second query will find your user because MySQL ignores the space.
All e-mail addresses should be processed with the PHP command trim().
Why is this important: We have many users who copy/paste their email into forms. Another source of error could be browser autofill.