create.bml was comparing
@LJ::PROTECTED_USERNAMES rather than
$user, which has been shoved through
LJ::canonical_username. The affect of this was that people could create lj_whatever by using hyphen instead of an underscore.
My patch fixes this by comparing against the canonicalised version instead.
I also rearranged the checks so that the "you must enter a username" thing can work on the canonicalised version, to reduce such oversights in the future. The canonical vs entered check had to go first because
LJ::canonical_username returns an empty string if the username is invalid.
Simple stuff. I can't leave it running on my goathack because that machine will be in pain during the day tomorrow, I reckon. I'm sure you can see by the patch that it works, anyway... it's not exactly complicated.