I am trying to figure out how vB validates a new username during registration. I want to use the same logic or routines to validate a loginname field I have created in the user profile. I haven't found where the username validate routines are being called. I would appreciate a pointer in the right direction.

The hack I am working on allows a user to log in with a different name than the username. The reason is to deal with some denial of service issues related to people targeting certain members of a forum. A perp can either saturate the login process with repeated login attacks/failures, or engage a user lockout for repeated login failures. In either case, users have experienced denial of access to their forum. I have been requested to provide a bit of security via obfuscation. I have read a number of threads discussing mods to add a display name similar to other products. After some consideration, I have concluded it would be preferable to not attempt to disrupt the user name functionality in vB and the many mods I may want to take advantage of. A better solution is to authenticate logins against another value linked to the standard user name and userid. I have this working with a loginname stored in field5 of the userprofile table. What I need to do now is validate the loginname is unique during the registration process.

It should, hopefully, be in the User datamanager class (includes/class_dm_user.php) -- I don't have the vB code available to me right now to check.

I found that. Now I need to wrap my head around datamanagers in general. I will dig into the user datamanager class to see if the profile fields are included or if they are handled separately.

Actually, this looks like it is happening at the client level. It is interactive during the entry of the new username. There must be some script running on the client that is validating the value entered as it is being typed. I would like to duplicate this behavior on another field. Any ideas?

Well the client checking is just another additional layer of protection, you'll still need to verify the input on the server end.

(Eg; I can enter a username that is already taken and still submit the form, despite the error popping up)

OK, I see that now. It looks like the profile fields aren't using a datamanager so I need to validate them myself. What I haven't figured out yet is how the error handler works and how to extend it to custom errors.

Specifically, I want to verify that field5 in the profile is unique vs. all other user's field5. I may also choose to verify it doesn't match any other username in the system. If it fails the test I want to throw an error and have it come back to re-enter like the other required fields in the registration form.

Any suggestions on how I could do this?