So I wanted a way that would protect the users e-mail address or username on the password reminder page. This is a way to protect a phiser from seeing if someone has a user account by using the password reminder page, and either seing that the email had reset instructions emailed to them or no username was found. The first step is to create a snippet to display the message on the designer page, Common pages -> Remind.
echo $_SESSION["remindmessage"];
unset($_SESSION["remindmessage"]);This snippet is used to display the message, and clear the session data after.
Next up, on the events tab, go to Remind password page -> Before password reminder sent:
$rs = DB::Query("SELECT email FROM user_table WHERE email = '".$username."'");
$status = $rs->fetchAssoc();
if ($status["email"] == ""){
$_SESSION["remindmessage"] ="
<div class='alert alert-success' data-itemtype='remind_success_message' data-itemid='remind_success_message' data-pageid='1' data-small=''>
If account exists, an email will be sent with further instructions on how to reset your password.</div>";
return false;
} else {
$_SESSION["remindmessage"] = "
<div class='alert alert-success' data-itemtype='remind_success_message' data-itemid='remind_success_message' data-pageid='1' data-small=''>
If account exists, an email will be sent with further instructions on how to reset your password.</div>";
return true;
}This will query your users table, and if an email matches, it will set a SESSION with the message to display. If an e-mail is NOT found (thus hiding if an e-mail), it will display the same message. But if an e-mail is found, we want to prevent a different page from loading. In the Events -> After password reminder is sent, add the following code:
header("Location: remind.php");
exit();So now what happens is if a user enters an email address that is on file, it work as normal and go back to the same page as the remind page. If they enter an email that is not on file, it will show the same message and page, thus disguising if the user has an email on the server or not.