If you use this module, your customers can only select one of the domains the admin creates for them. They cannot free edit the domain-field.You have to re-login after changing this value, to make the changes visible.
You're willing to say that it is not the best way?
A simple check in the database can be avoided this kind of fault who can compromise the security of all the host ?
With this vulnerability everyone can make a phishing page and really realistic and with a guaranteed result