diff options
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/.htaccess | 4 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 6 | ||||
| -rw-r--r-- | phpBB/includes/constants.php | 4 |
3 files changed, 12 insertions, 2 deletions
diff --git a/phpBB/includes/.htaccess b/phpBB/includes/.htaccess new file mode 100644 index 0000000000..4128d345ab --- /dev/null +++ b/phpBB/includes/.htaccess @@ -0,0 +1,4 @@ +<Files *> + Order Allow,Deny + Deny from All +</Files> diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 73c4f92976..e04a6307e9 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -134,7 +134,8 @@ function login_db(&$username, &$password) // increase login attempt count to make sure this cannot be exploited $sql = 'UPDATE ' . USERS_TABLE . ' SET user_login_attempts = user_login_attempts + 1 - WHERE user_id = ' . $row['user_id']; + WHERE user_id = ' . (int) $row['user_id'] . ' + AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; $db->sql_query($sql); return array( @@ -194,7 +195,8 @@ function login_db(&$username, &$password) // Password incorrect - increase login attempts $sql = 'UPDATE ' . USERS_TABLE . ' SET user_login_attempts = user_login_attempts + 1 - WHERE user_id = ' . $row['user_id']; + WHERE user_id = ' . (int) $row['user_id'] . ' + AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; $db->sql_query($sql); // Give status about wrong password... diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index ff572869e2..ebaa342f54 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -69,6 +69,10 @@ define('LOGIN_ERROR_ATTEMPTS', 13); define('LOGIN_ERROR_EXTERNAL_AUTH', 14); define('LOGIN_ERROR_PASSWORD_CONVERT', 15); +// Maximum login attempts +// The value is arbitrary, but it has to fit into the user_login_attempts field. +define('LOGIN_ATTEMPTS_MAX', 100); + // Group settings define('GROUP_OPEN', 0); define('GROUP_CLOSED', 1); |