[ticket/7538] Limit user_login_attempts to prevent SQL errors.

PHPBB3-7538
2025-06-28 06:08:52 +00:00 · 2010-10-15 18:54:44 +02:00 · 2010-10-15 18:54:44 +02:00 · 0452da2bf1
commit 0452da2bf1
parent b8f37a5024
2 changed files with 8 additions and 2 deletions
--- a/phpBB/includes/auth/auth_db.php
+++ b/phpBB/includes/auth/auth_db.php
@ -134,7 +134,8 @@ function login_db(&$username, &$password)
 				// increase login attempt count to make sure this cannot be exploited
 				$sql = 'UPDATE ' . USERS_TABLE . '
 					SET user_login_attempts = user_login_attempts + 1
-					WHERE user_id = ' . $row['user_id'];
+					WHERE user_id = ' . (int) $row['user_id'] . '
 						AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
 				$db->sql_query($sql);
 				return array(
@ -194,7 +195,8 @@ function login_db(&$username, &$password)
 	// Password incorrect - increase login attempts
 	$sql = 'UPDATE ' . USERS_TABLE . '
 		SET user_login_attempts = user_login_attempts + 1
-		WHERE user_id = ' . $row['user_id'];
+		WHERE user_id = ' . (int) $row['user_id'] . '
 			AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
 	$db->sql_query($sql);
 	// Give status about wrong password...
--- a/phpBB/includes/constants.php
+++ b/phpBB/includes/constants.php
@ -69,6 +69,10 @@ define('LOGIN_ERROR_ATTEMPTS', 13);
 define('LOGIN_ERROR_EXTERNAL_AUTH', 14);
 define('LOGIN_ERROR_PASSWORD_CONVERT', 15);
 // Maximum login attempts
 // The value is arbitrary, but it has to fit into the user_login_attempts field.
 define('LOGIN_ATTEMPTS_MAX', 100);
 // Group settings
 define('GROUP_OPEN', 0);
 define('GROUP_CLOSED', 1);