<![CDATA[PunBB Forums - Forgot Password Flood Protection]]> 2009-03-25T22:10:30Z PunBB http://punbb.informer.com/forums/topic/21380/forgot-password-flood-protection/ <![CDATA[Re: Forgot Password Flood Protection]]> I'll write this up for you real quick.

MySQL Query:

ALTER TABLE `users` ADD `last_pass_request` INT( 10 ) NOT NULL

Open Login.php
Find:

        // Validate the email-address
        $email = strtolower(trim($_POST['req_email']));
        if (!is_valid_email($email))
            message($lang_common['Invalid e-mail']);

Add after:

        $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE email=\''.$db->escape($email).'\' AND last_pass_request>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
        if ($db->num_rows($result))
            message('A user has requested a new password too recently to send another.  Please wait an hour or contact an admistrator.');

        // Add the last password request for this email to the database
        $db->query('UPDATE users SET last_pass_request="'.time().'" WHERE email="'.$db->escape($email).'"') or error('Unable to add last password request info to the database', __FILE__, __LINE__, $db->error());

I tested and it worked on my local server.  Let me know if there are any problems.

]]> http://punbb.informer.com/forums/user/12667/ 2009-03-25T22:10:30Z http://punbb.informer.com/forums/post/126111/#p126111 <![CDATA[Forgot Password Flood Protection]]> Does anyone have some code already in use to prevent forgot password flooding?

The way 1.2.x works now there is nothing that keeps someone from entering a users email over and over requesting a new password.

]]> http://punbb.informer.com/forums/user/15100/ 2009-03-24T01:37:41Z http://punbb.informer.com/forums/post/126033/#p126033