[ic] get_password multiple email "one per account"
Peter
peter at pajamian.dhs.org
Wed Mar 28 17:13:10 EST 2007
On 03/28/2007 10:21 AM, David Bordas wrote:
>
>> BTW, this is important and something I just remembered from when I did
>> this myself. A blank search will match every entry in the db,
>> therefore, if someone tries to request a password and leaves all of the
>> criteria blank, IC will send every user in the system their username and
>> password...
>> [comment]Avoid empty searchspec[/comment]
>> [bounce href="[area login]" if=`!$CGI_array->{mv_searchspec}->[1]`]
>>
>>
>> Note that this code will probably break for you. It works for me
>> because I modified the password retrieval to only use the email address.
>> You will likely need to check more than one variable.
>>
>> Peter
>>
> Sorry, i forgot to answer you.
> I'm in the same situation as you, i modified password retrieval to only
> use email address too.
>
> Thank you for telling me this story.
>
> In fact i've "solved" it. I've put this code back :
>
> [if value mv_search_match_count > 3]
> Too much answer, <a href='[area contact]'>contact us</a>.
> [set get_id_matches][/set]
> [/if]
>
> Checking if mv_searchspec is not blank is a good idea, but if someone
> look at a popular ISP, example aol.com, then you will send password
> retrieval to all your customers with an aol mail...
> This not very good too... :(
That should be easily solved by setting mv_substring_match to no.
I also use this searchspec which prevents results from auto-generated users:
<input type="hidden" name="mv_search_field" value="username">
<input type="hidden" name="mv_substring_match" value="no">
<input type="hidden" name="mv_column_op" value="rn">
<input type="hidden" name="mv_searchspec" value="^U\d+$">
Peter
More information about the interchange-users
mailing list