Topic: Forgot Password Flood Protection

Does anyone have some code already in use to prevent forgot password flooding?

The way 1.2.x works now there is nothing that keeps someone from entering a users email over and over requesting a new password.

2 (edited by Tieguy 2009-03-25 22:22)

Re: Forgot Password Flood Protection

I'll write this up for you real quick.

MySQL Query:

ALTER TABLE `users` ADD `last_pass_request` INT( 10 ) NOT NULL

Open Login.php

        // Validate the email-address
        $email = strtolower(trim($_POST['req_email']));
        if (!is_valid_email($email))
            message($lang_common['Invalid e-mail']);

Add after:

        $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE email=\''.$db->escape($email).'\' AND last_pass_request>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
        if ($db->num_rows($result))
            message('A user has requested a new password too recently to send another.  Please wait an hour or contact an admistrator.');

        // Add the last password request for this email to the database
        $db->query('UPDATE users SET last_pass_request="'.time().'" WHERE email="'.$db->escape($email).'"') or error('Unable to add last password request info to the database', __FILE__, __LINE__, $db->error());

I tested and it worked on my local server.  Let me know if there are any problems.

If you need any PunBB 1.2.* mods done, feel free to send me a PM; we can work out a price [if need be].