diff options
| author | Igor Wiedler <igor@wiedler.ch> | 2010-10-17 21:32:20 +0200 |
|---|---|---|
| committer | Igor Wiedler <igor@wiedler.ch> | 2010-10-17 21:32:20 +0200 |
| commit | 2895ade5662032caac4af2c82143d34f40f5800b (patch) | |
| tree | d00f7e18330536599e0ef46f7184f67708f02ba2 | |
| parent | 6582455e5d2b207d7d497766514529d82201339d (diff) | |
| parent | 0452da2bf1f93dc8d9ea5c73f1276a5976eaca7d (diff) | |
| download | forums-2895ade5662032caac4af2c82143d34f40f5800b.tar forums-2895ade5662032caac4af2c82143d34f40f5800b.tar.gz forums-2895ade5662032caac4af2c82143d34f40f5800b.tar.bz2 forums-2895ade5662032caac4af2c82143d34f40f5800b.tar.xz forums-2895ade5662032caac4af2c82143d34f40f5800b.zip | |
Merge branch 'ticket/bantu/7538' into develop-olympus
* ticket/bantu/7538:
[ticket/7538] Limit user_login_attempts to prevent SQL errors.
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 6 | ||||
| -rw-r--r-- | phpBB/includes/constants.php | 4 |
2 files changed, 8 insertions, 2 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 73c4f92976..e04a6307e9 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -134,7 +134,8 @@ function login_db(&$username, &$password) // increase login attempt count to make sure this cannot be exploited $sql = 'UPDATE ' . USERS_TABLE . ' SET user_login_attempts = user_login_attempts + 1 - WHERE user_id = ' . $row['user_id']; + WHERE user_id = ' . (int) $row['user_id'] . ' + AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; $db->sql_query($sql); return array( @@ -194,7 +195,8 @@ function login_db(&$username, &$password) // Password incorrect - increase login attempts $sql = 'UPDATE ' . USERS_TABLE . ' SET user_login_attempts = user_login_attempts + 1 - WHERE user_id = ' . $row['user_id']; + WHERE user_id = ' . (int) $row['user_id'] . ' + AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; $db->sql_query($sql); // Give status about wrong password... diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index ff572869e2..ebaa342f54 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -69,6 +69,10 @@ define('LOGIN_ERROR_ATTEMPTS', 13); define('LOGIN_ERROR_EXTERNAL_AUTH', 14); define('LOGIN_ERROR_PASSWORD_CONVERT', 15); +// Maximum login attempts +// The value is arbitrary, but it has to fit into the user_login_attempts field. +define('LOGIN_ATTEMPTS_MAX', 100); + // Group settings define('GROUP_OPEN', 0); define('GROUP_CLOSED', 1); |