Topic: Forgot Password Flood Protection
Does anyone have some code already in use to prevent forgot password flooding?
The way 1.2.x works now there is nothing that keeps someone from entering a users email over and over requesting a new password.
2 2009-03-25 22:10 (edited by Tieguy 2009-03-25 22:22)
Re: Forgot Password Flood Protection
I'll write this up for you real quick.
MySQL Query:
ALTER TABLE `users` ADD `last_pass_request` INT( 10 ) NOT NULLOpen Login.php
Find:
// Validate the email-address
$email = strtolower(trim($_POST['req_email']));
if (!is_valid_email($email))
message($lang_common['Invalid e-mail']);Add after:
$result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE email=\''.$db->escape($email).'\' AND last_pass_request>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
if ($db->num_rows($result))
message('A user has requested a new password too recently to send another. Please wait an hour or contact an admistrator.');
// Add the last password request for this email to the database
$db->query('UPDATE users SET last_pass_request="'.time().'" WHERE email="'.$db->escape($email).'"') or error('Unable to add last password request info to the database', __FILE__, __LINE__, $db->error());I tested and it worked on my local server. Let me know if there are any problems.
If you need any PunBB 1.2.* mods done, feel free to send me a PM; we can work out a price [if need be].