Re: Forgot Password Flood Protection

dummy@example.com (Tieguy) — Wed, 25 Mar 2009 22:10:30 +0000

I'll write this up for you real quick.

MySQL Query:

ALTER TABLE `users` ADD `last_pass_request` INT( 10 ) NOT NULL

Open Login.php
Find:

        // Validate the email-address
        $email = strtolower(trim($_POST['req_email']));
        if (!is_valid_email($email))
            message($lang_common['Invalid e-mail']);

Add after:

        $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE email=\''.$db->escape($email).'\' AND last_pass_request>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
        if ($db->num_rows($result))
            message('A user has requested a new password too recently to send another.  Please wait an hour or contact an admistrator.');

        // Add the last password request for this email to the database
        $db->query('UPDATE users SET last_pass_request="'.time().'" WHERE email="'.$db->escape($email).'"') or error('Unable to add last password request info to the database', __FILE__, __LINE__, $db->error());

I tested and it worked on my local server. Let me know if there are any problems.

Forgot Password Flood Protection

dummy@example.com (lush) — Tue, 24 Mar 2009 01:37:41 +0000

Does anyone have some code already in use to prevent forgot password flooding?

The way 1.2.x works now there is nothing that keeps someone from entering a users email over and over requesting a new password.

PunBB Forums - Forgot Password Flood Protection

Re: Forgot Password Flood Protection

Forgot Password Flood Protection