[ic] get_password multiple email "one per account"

Peter peter at pajamian.dhs.org
Wed Mar 28 17:13:10 EST 2007

On 03/28/2007 10:21 AM, David Bordas wrote:
>> BTW, this is important and something I just remembered from when I did
>> this myself.  A blank search will match every entry in the db,
>> therefore, if someone tries to request a password and leaves all of the
>> criteria blank, IC will send every user in the system their username and
>> password... 
>> [comment]Avoid empty searchspec[/comment]
>> [bounce href="[area login]" if=`!$CGI_array->{mv_searchspec}->[1]`]
>> Note that this code will probably break for you.  It works for me
>> because I modified the password retrieval to only use the email address.
>>  You will likely need to check more than one variable.
>> Peter
> Sorry, i forgot to answer you.
> I'm in the same situation as you, i modified password retrieval to only
> use email address too.
> Thank you for telling me this story.
> In fact i've "solved" it. I've put this code back :
> [if value mv_search_match_count > 3]
> Too much answer, <a href='[area contact]'>contact us</a>.
> [set get_id_matches][/set]
> [/if]
> Checking if mv_searchspec is not blank is a good idea, but if someone
> look at a popular ISP, example aol.com, then you will send password
> retrieval to all your customers with an aol mail...
> This not very good too... :(

That should be easily solved by setting mv_substring_match to no.

I also use this searchspec which prevents results from auto-generated users:

<input type="hidden" name="mv_search_field" value="username">
<input type="hidden" name="mv_substring_match" value="no">
<input type="hidden" name="mv_column_op" value="rn">
<input type="hidden" name="mv_searchspec" value="^U\d+$">


More information about the interchange-users mailing list