wp_create_user() does not check for a valid email address

[mrwiblog]

When creating a new user an invalid email address (for example user@) will result in a zero-length string in the email field of the users table. If another new user is subsequently created with another invalid email address the error returned is "This email address is already registered."

It would be better for wp_create_user() to check if a valid email address has been given and return a more descriptive error. I attach a patch file for wp-includes/registration.php to include this functionality.

[mrwiblog]

Patch for wp-includes/registration.php

[nacin]

This reminds me of a ticket or two. Not sure if there are any duplicates though.

[mrwiblog]

The nearest thing I could find was #14417, and there's also #14308 which is in 3.1. Looks like there's a bit of cleaning up that could be done in that function.

[nacin]

Closed #14417 as a duplicate.

We should make email addresses required and enforce uniqueness. I think that will be necessary with #5919 with being able to log in with an email (though unsure if that is covered there).

[filosofo]

Replying to nacin:

We should make email addresses required and enforce uniqueness.

I think we should consider doing the opposite: making email addresses just another user datum, like URL. The current system, which de facto requires email addresses, makes it tricky to implement authorization or authentication protocols such as OAuth or OpenID that don't necessarily get you a user's email address.

Aside from emailing password resets (which is not needed for sites accepting those protocols), there's not much reason for core WP to require email addresses.

[jonkirkman]

Replying to filosofo:

Replying to nacin:

We should make email addresses required and enforce uniqueness.

I think we should consider doing the opposite: making email addresses just another user datum, like URL. The current system, which de facto requires email addresses, makes it tricky to implement authorization or authentication protocols such as OAuth or OpenID that don't necessarily get you a user's email address.

Aside from emailing password resets (which is not needed for sites accepting those protocols), there's not much reason for core WP to require email addresses.

I agree with Filosofo. This seems to be more of an issue with email_exists() not being cope with being passed an empty string which is the default behavior of some of the functions which rely upon it. If email_exists() is passed an empty string, perhaps it automatically return false without searching the users table.

[SergeyBiryukov]

#24630 was marked as a duplicate.

[SergeyBiryukov]

wp_create_user() was introduced in [2872], $email became optional in [2915], apparently for the MT importer.