Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Doubts in UserLogin.php
05-04-2013, 01:15 PM,
#1
Doubts in UserLogin.php
Hi all:

I'm trying to modify UserLogin.php so it sends an email to the system admin when an user gets blocked due to too many failed attempts. It is simply done by this code after line 112

Code:
                if ($SysAdminEmail != ''){    
                    $EmailText =  _('User ID') . ' ' . $Name . ' ' . _('has been blocked access at') . ' ' . Date('Y-m-d H:i:s') . ' ' . _('due to too many failed attempts.');
                    $EmailSubject = _('User access blocked'). ' ' . $Name ;
                    mail($SysAdminEmail,$EmailSubject,$EmailText);
                }

problem comes at $SysAdminEmail. At this stage I think we haven't read yet the config table into _SESSION (so we can't store the email address there) so, I think to store it in config.php but I can't access the variable from UserLogin.php

How should be done without compromising security?

many thanks.
Regards,
Pak Ricard
Reply
05-07-2013, 01:19 PM,
#2
RE: Doubts in UserLogin.php
Hi:

I think the problem I'm facing is how to read the variables included in config.php file from UserLogin.php. Which is the correct include type line?
Regards,
Pak Ricard
Reply
05-07-2013, 07:52 PM,
#3
RE: Doubts in UserLogin.php
Hi, Richard:
That sounds a great idea.
I don't know you plan about how to get the admin's email address. In fact , you can create a sql statements in UserLogin.php to retrieve mail address from database directly when the user is marked as blocked.
And another choice is declare the $SysAdminEmail as global.
And the mail should be send to user too to give alert that maybe someone is hacking the system.
Just my2cents.
Thanks and best regards!

Exson
Reply
05-08-2013, 12:13 PM,
#4
RE: Doubts in UserLogin.php
Hi Exson and Tim:

I preferred to set the $SysAdminEmail variable in config.php file, as user could be doing a mistake selecting the database, and we could be sending the email to the wrong admin if we use the $db to make a SQL query. Being in config.php is as hardcoded as db users, etc, so only IT admins should have access.

About send an email also to the user is feasible, but I guess it's more efective if we alert the IT admin (IT admins know what to do, how to detect an intrusion). We can improve it if we can email the IP address as well.

Committed today. Please check.

Tim: I wasn't 100% sure about the required change in the API function. I guess it's OK because there's a include (config.php) few lines before the call to UserLogin(), but you know the API beast better than me.

Thanks to Tim and Exson for your help.
Regards,
Pak Ricard
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)