Jump to content

[SOLVED] How to limit the number of login attempts in a login script?

ifusion

By ifusion
in PHP Coding Help

 Share

Recommended Posts

ifusion Newbie

ifusion

Posted
Posted

Hey,

 

I've written a very basic php login script but my problem is i cant work out how to limit the user so they can only try and log in 3 times. And after 3 times then ban them for 10mins?

 

I just need something basic. Should be easy for and expert  :P

 

Cheers!

Fadion Newbie

Fadion

Posted
Posted

You can use a cookie. Like this:

 

<?php
if($login_incorrect){
     if(isset($_COOKIE['login'])){
          if($_COOKIE['login'] < 3){
               $attempts = $_COOKIE['login'] + 1;
               setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
          } else{
               echo 'You are banned for 10 minutes. Try again later';
          }
     } else{
          setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
     }
}
?>

revraz Member

revraz

Posted
Posted

All the end user has to do is delete the cookie and start over.

 

May be best to write the invalid attempt to a DB based on the username and check attempts made against that instead.  Can also time stamp them to check the 10 min mark.

obsidian Member

obsidian

Posted
Posted

I'm with revraz on this one. I would store a table of "naughty" usernames with a count and timestamp of attempts. If there have been X number of minutes from the last attempt, delete the record, but if there have been 3 wrong attempts in the last X number of minutes, they cannot attempt again until the time has expired.

atomicrabbit Member

atomicrabbit

Posted
Posted

agreed. The best way is to store the username that is attempted and maybe the IP address in a table. The IP address can be changed if they are on DSL by resetting their modem, but is not always the case. This way, you can block the username and/or the IP for X minutes.

ifusion Newbie

ifusion

Posted
  • Author
Posted

Hey,

 

I cant work out how to implement the cookie code into my script. Heres my code for my pages below:

 

Login page

<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css">
<title>Login!</title>

</head>
<body>
<div id="loginbox">
	<form action="login2.php" method="post">
		<label class="user" for="user"><strong>Username:</strong></label> <input type="text" name="username"><br><br>
		<label class="user" for="user"><strong>Password:</strong></label> <input type="password" name="password"><br><br>
		<input class="submit" type="submit" name="submit" value="Login!" id="submitbut" >
	</form>	
</div>
	<div id="underbox"><a class="reg" href="register.php">Register!</a><span class="text">Created by Kieran P</span></div>
</body>

</html>

 

Login Check

<?php

//Includes the connection file that contains the MYSQL database information
include('connection.php');

// Checking if the submit button has been checked.
if(isset($_POST['submit'])){
	// If the username and password fields are empty then print and error.
	if(empty($_POST['username']) || empty($_POST['password'])){
		echo "Sorry you have to fill in all the forms!";
		exit;
	}

	$user = $_POST['username'];
	$pass = $_POST['password'];
	$pass = md5($pass);
	if(strlen($user) > '15')
	{
		echo "Your username is more than 15 characters. It needs to be less than 15.";
		exit;
	}

	// Selects the username and password from the users database.
	$query = "SELECT username, password FROM `users` WHERE username='$user'";

	$result = mysql_query($query);

	if(!$result) {
		echo "The query failed " . mysql_error();
	} else {
		// If the row vairble does not equal the pass variable then an error occurs.
		$row = mysql_fetch_object($result);
			if($row->password != $pass) {
				echo "I'm sorry, but your username and password don't match. Please go back and enter the correct login details. You Click <a href=\"login.php\">here</a> to try again.";
				exit;
			}
			header('Location:  logged.php');	
	}
}
?>

 

 

I need to implement this code into the the script above

<?php
if($login_incorrect){
     if(isset($_COOKIE['login'])){
          if($_COOKIE['login'] < 3){
               $attempts = $_COOKIE['login'] + 1;
               setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
          } else{
               echo 'You are banned for 10 minutes. Try again later';
          }
     } else{
          setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
     }
}
?>

Goldeneye Regular Member

Goldeneye

Posted
Posted

ATTN: This code is untested, so I can only hope it gets the job done.

ALSO: you should sanitize your username variable with trim() and mysql_real_escape_string(). Ex: mysql_real_escape_string(trim($_POST['username']));

 

<?php
//Includes the connection file that contains the MYSQL database information
include('connection.php');

// Checking if the submit button has been checked.
if(isset($_POST['submit'])){
	// If the username and password fields are empty then print and error.
	if(empty($_POST['username']) || empty($_POST['password'])){
		echo "Sorry you have to fill in all the forms!";
		exit;
	}

	$user = $_POST['username'];
	$pass = md5($_POST['password']);
	if(strlen($user) > '15')
	{
		echo "Your username is more than 15 characters. It needs to be less than 15.";
		exit;
	}

	// Selects the username and password from the users database.
	$query = "SELECT username, password FROM `users` WHERE username='$user'";

	$result = mysql_query($query);

	if(!$result) {
		echo "The query failed " . mysql_error();
	} else {
		// If the row vairble does not equal the pass variable then an error occurs.
		$row = mysql_fetch_object($result);
			if($row->password != $pass) {
				if(isset($_COOKIE['login'])){
					if($_COOKIE['login'] < 3){
						$attempts = $_COOKIE['login'] + 1;
						setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
						echo "I'm sorry, but your username and password don't match. Please go back and enter the correct login details. You Click <a href=\"login.php\">here</a> to try again.";
					} else{
						echo 'You\'ve had your 3 failed attempts at logging in and now are banned for 10 minutes. Try again later!';
					}
				} else {
					setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
				}
				exit;
			}
			header('Location: logged.php');	
	}
}
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.