MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > system trying to reset 5,000 passwords
Full Version: system trying to reset 5,000 passwords
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Kimmo

2006-01-12, 10:39 PM
Hello all,

I just got surprised by something kick-starting the password-reset routine on my board. I have a board with almost 20,000 registered people (which I mass-registered from another database). However not all these records have an email. Just an hour ago I found out that my email-box was filling with some 5,000 bounced emails (due to lack of recipient-address). These messages were the password-reset messages for real users in my system.

Now my guess is that someone tried to use the resetpassword-function in the system, got an error that threw the whole system in a loop to go through every single account in the system......then again..it stopped after 5,000 records.....but this could also be the server killing it for taking too much time/resources..

Now I need help.

I would like to make sure this doesn't happen again.

I would like to for example make sure that the system won't even try to send any messages to a user that doesn't have an email in the system. (Yes I know this is not supposed to happen anyway as email is a prerequisite for registration....but in my case it wasn't due to the need for migrating users in from another system).

I would also like to find out what caused this to happen in the first place and how can I prevent it from happening again.

cheers,
Kimmo

Chris Boulton

2006-01-12, 11:11 PM
Open up member.php and find this:
	$email = addslashes($email);
	$query = $db->query("SELECT * FROM ".TABLE_PREFIX."users WHERE email='".addslashes($mybb->input['email'])."'");
	$numusers = $db->num_rows($query);
	if($numusers < 1)
	{
		error($lang->error_invalidemail);
	}

Replace it with:
	if(!$mybb->input['email'])
	{
		error($lang->error_invalidemail);
	}
	$query = $db->query("SELECT COUNT(uid) AS count FROM ".TABLE_PREFIX."users WHERE email='".addslashes($mybb->input['email'])."'");
	$numusers = $db->db->fetch_array($query);
	if($numusers['count'] < 1)
	{
		error($lang->error_invalidemail);
	}

That should solve that problem - i'll also commit the code into MyBB.

Also, I'd recommend changing the usergroup for all of those without email addresses to awaiting activation or something similar, and adding a notice on your forums informing your users that to be able to post, MyBB requires an email address.

Thanks Kimmo.

Chris

Kimmo

2006-01-13, 07:12 AM
thanks Chris! Can you tell me in normal english what was going wrong and why?

cheers,
Kimmo

Dennis Tsang

2006-01-14, 02:19 AM
	if(!$mybb->input['email'])
	{
		error($lang->error_invalidemail);
	}
	$query = $db->query("SELECT COUNT(uid) AS count FROM ".TABLE_PREFIX."users WHERE email='".addslashes($mybb->input['email'])."'");
	$numusers = $db->db->fetch_array($query);
	if($numusers['count'] < 1)
	{
		error($lang->error_invalidemail);
	}

The first part was added to verify that there is an email address, and to give an error so that no extra SQL queries have to be done to check it.

The only other change should be $numusers in the if statement to $numusers['count'] because the stuff returned from the query is in an array in the 'count' key.

I'm not sure why there is a double $db->db. I think thee should be just one ($db->fetch_array), someone should check that.

Kimmo

2006-01-20, 06:24 PM
okay...this fix might work....and stop the thousands of emails....but it renders the lostpw function non-functional alltogether

Fatal error: Call to a member function fetch_array() on a non-object

is what is printed if I leave it as the code is in your post Chris,
if I remove the extra db-> page seems okay but no mail is sent...

cheers,
Kimmo

Kimmo

2006-01-21, 10:26 AM
umm....bump....having a forum of 20,000 users...people are bound to forget their passwords....but the system doesn't work now (after using Chris' fix here) it simply doesn't mail anyone after I remove the seemingly redundant db-> but if I leave it...the FATAL ERROR occurs......anyone???

HELP PLEASE?

Ryan Gordon

2006-01-21, 04:43 PM
why are there two $db's chris? Is this another snippet of code from a future version of MyBB?

Dennis Tsang

2006-01-21, 07:26 PM
I'm pretty sure the future versions of MyBB don't use $db->db (that's just redundant)

Kimmo

2006-01-21, 07:44 PM
but that kinda leaves the issue that the fix provided above....even after I remove the redundant db-> no emails are sent out at all...even when the email-address does exist in the database..

cheers,
Kimmo

Kimmo

2006-01-24, 06:56 AM
BUMP:

The fix above, if applied as is leads to a FATAL ERROR, if redundant db-> is removed => no errors but no mail sent out the user either....

Can I get some help on this?
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > system trying to reset 5,000 passwords