The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Comments |
#12
|
|||
|
|||
Justin:
If you look over the code it checks to see if you have a userid from a cookie and then compares that to the database and the secret words. or if ($bbuserinfo['userid'] == 0 or $permissions['canmodifyprofile'] == 0) { show_nopermission(); So if the bbuserid is 0 (which it will be if they aren't logged in) then they get the "your aren't logged in " error message. Then the part that Chen wrote for me: if ($user) { $DB_site->query(" UPDATE user SET email = '".addslashes(htmlspecialchars($email))."' WHERE userid = $bbuserinfo[userid] "); eval('standarderror("'.gettemplate('redirect_email updated').'");'); } else { eval('standarderror("'.gettemplate('error_infoinva lid').'");'); } } If the bbuserid and the secret word don't match they get the "error_infoinvalid" template error message. Parker |
#13
|
||||
|
||||
OK, I understand now.
So it seems that this feature working depends on there being a cookie on the person's computer. Some people may be using the board without cookies, or they may be trying to get in from some other computer. I can see that second thing happening a lot, actually; someone goes to a public computer or a friend's computer, some other computer that isn't their own, and if they have their own browser set to remember passwords, they might not even remember their own password, because they never have to use it. So I think it may be a good idea if this didn't rely on cookies. To that end, perhaps on the form where it asks for your secret word and new email address, perhaps it could also ask for your username. Then the system would check if the username and secret word match, and go from there. |
#14
|
|||
|
|||
I will look into adding a Username check. I am also thinking of adding a check for things like "mother's maiden name", "name of family dog" that sort of stuff. I just haven't had the time to write that yet.
Parker |
#15
|
||||
|
||||
Nice Hack
|
#16
|
||||
|
||||
If using a system like "mother's maiden name" or other secret question/secret answer systems like you've suggested, I'd like to suggest that the answer be stored in the user's profile in encrypted form, like passwords.
|
#17
|
|||
|
|||
Justin:
Changing the script as written look in member.php for $user = $DB_site->query_first(" SELECT email,userid,secret FROM user WHERE secret='".addslashes($secret)."' AND userid = $bbuserinfo[userid] "); and change to $user = $DB_site->query_first(" SELECT email,userid,secret FROM user WHERE secret='".addslashes(md5($secret))."' AND userid = $bbuserinfo[userid] "); in register.php change '".addslashes($secret)."', change to '".addslashes(md5($secret))."', and admin/user.php '".addslashes($secret)."', change to '".addslashes(md5($secret))."', Look for $pwinclude=""; if ($apassword!="") { $pwdinclude=",password='".addslashes(md5($apasswor d))."'"; } and below this add: $secretinclude=""; if ($secret!="") { $secretinclude=",secret='".addslashes(md5($secret) )."'"; } then below this change '".addslashes($secret)."', to $secretinclude, and change makeinputcode("Secret Word","secret",$user[secret],0); to makeinputcode("Secret Word<br>Leave blank unless you want to change it","secret"); Parker |
#18
|
||||
|
||||
While Parker was writing and posting his reply to my suggestion, I was figuring out how to do it on my own, and while I was at it, I also incorporated my other idea, which is to ask you for your username rather than relying on a possibly non-existant cookie. I also incorporated Velocd's idea of using a question/answer system rather than a secret word by itself. The way I have done it is that the user specifies both the question and the answer. I had originally thought to use a list of questions in a drop-down menu box that the user could select, but that would have been more complicated coding than I felt like doing right now, and my way gives the user more freedom. There's no inherent advantage or disadvantage do doing it either way, from a practical standpoint.
I have attached a text file that is basically Parker's original instructions with my modifications. If you have already installed his original version, you will need to have your users enter a secret question and specify a new secret answer (existing secret words are not imported, as they are not encrypted and thus unusable, and I suppose I could have written into the script something to encrypt the old secret words, but since the user has to go to the profile to put in a secret question anyway, then they can just go ahead and put in the answer themselves without me having to figure out how to write that extra bit of code!). |
#19
|
|||
|
|||
Justin,
Your changes are excellent. Thanks to Parker for another great and useful solution! I will be installing this shortly. I'm surprised it's actually not in vB by default. Paul |
#20
|
|||
|
|||
Taking Justin's suggestion for encrypting the secret word in my original version of this script I have written a second version with the file changes needed.
I appreciate Justin's work into this and for his version. This gives you the ultimate choice of deciding which one that you would prefer to have on your site. This version works the same as the original it just encrypts all the secret words in the database. Note: This file has been updated as of 6/25/2002 After working with this on several sign ups I have found that the section that I added to the user.php file will over write the secret code if you moderate your board or change any member information from the admin control panel. I have made the necessary changes to the admin/user.php file as needed. Just download the script and make the changes in the user.php section. If you have not installed this hack just follow the outline in the hack. Parker |
#21
|
|||
|
|||
A more "secure" and user-friendly approach to this hack would be the following:
1. Requiring predefined questions which become part of the authentication procedure (entering in a username and seeing a question isn't a good idea from a security standpoint). 2. Converting the answer to lowercase before processing the md5 hash. ("What is my favorite flavor of ice cream?" A: "Strawberry" is not the same as "strawberry") 3. Creating an md5 hash of the secret answer prevents the administrator from making a visual determination to see if "Main Street" and "Main St." are actually both the correct answer. If the user cannot remember their password, chances are they won't recall the exact spelling and punctuation used in their answer. Any thoughts? Paul Edit: These comments apply to Justin's version of the hack. I'm assuming the easiest way to do this would be a strtolower() around any processing of secret_a and creating another table with the various questions and an id number (reducing the overall size of the database) (i.e. "What is the name of the town you were born in?" = "2") secret_q would then have a value of "2" I'll try doing this myself tomorrow, but I have a limited knowledge of the workings of vb |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|