Jump to content

Archived

This topic is now archived and is closed to further replies.

ifusion

[SOLVED] How to limit the number of login attempts in a login script?

Recommended Posts

Hey,

 

I've written a very basic php login script but my problem is i cant work out how to limit the user so they can only try and log in 3 times. And after 3 times then ban them for 10mins?

 

I just need something basic. Should be easy for and expert  :P

 

Cheers!

Share this post


Link to post
Share on other sites

You can use a cookie. Like this:

 

<?php
if($login_incorrect){
     if(isset($_COOKIE['login'])){
          if($_COOKIE['login'] < 3){
               $attempts = $_COOKIE['login'] + 1;
               setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
          } else{
               echo 'You are banned for 10 minutes. Try again later';
          }
     } else{
          setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
     }
}
?>

Share this post


Link to post
Share on other sites

Cheers for that man. Is there anyway of making it in a loop form? Like a for or while loop?

Share this post


Link to post
Share on other sites

You can add a loop wherever you want, but you have to explain what you need the loop for if you want suggestions.

Share this post


Link to post
Share on other sites

All the end user has to do is delete the cookie and start over.

 

May be best to write the invalid attempt to a DB based on the username and check attempts made against that instead.  Can also time stamp them to check the 10 min mark.

Share this post


Link to post
Share on other sites

I'm with revraz on this one. I would store a table of "naughty" usernames with a count and timestamp of attempts. If there have been X number of minutes from the last attempt, delete the record, but if there have been 3 wrong attempts in the last X number of minutes, they cannot attempt again until the time has expired.

Share this post


Link to post
Share on other sites

agreed. The best way is to store the username that is attempted and maybe the IP address in a table. The IP address can be changed if they are on DSL by resetting their modem, but is not always the case. This way, you can block the username and/or the IP for X minutes.

Share this post


Link to post
Share on other sites

Hey,

 

I cant work out how to implement the cookie code into my script. Heres my code for my pages below:

 

Login page

<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css">
<title>Login!</title>

</head>
<body>
<div id="loginbox">
	<form action="login2.php" method="post">
		<label class="user" for="user"><strong>Username:</strong></label> <input type="text" name="username"><br><br>
		<label class="user" for="user"><strong>Password:</strong></label> <input type="password" name="password"><br><br>
		<input class="submit" type="submit" name="submit" value="Login!" id="submitbut" >
	</form>	
</div>
	<div id="underbox"><a class="reg" href="register.php">Register!</a><span class="text">Created by Kieran P</span></div>
</body>

</html>

 

Login Check

<?php

//Includes the connection file that contains the MYSQL database information
include('connection.php');

// Checking if the submit button has been checked.
if(isset($_POST['submit'])){
	// If the username and password fields are empty then print and error.
	if(empty($_POST['username']) || empty($_POST['password'])){
		echo "Sorry you have to fill in all the forms!";
		exit;
	}

	$user = $_POST['username'];
	$pass = $_POST['password'];
	$pass = md5($pass);
	if(strlen($user) > '15')
	{
		echo "Your username is more than 15 characters. It needs to be less than 15.";
		exit;
	}

	// Selects the username and password from the users database.
	$query = "SELECT username, password FROM `users` WHERE username='$user'";

	$result = mysql_query($query);

	if(!$result) {
		echo "The query failed " . mysql_error();
	} else {
		// If the row vairble does not equal the pass variable then an error occurs.
		$row = mysql_fetch_object($result);
			if($row->password != $pass) {
				echo "I'm sorry, but your username and password don't match. Please go back and enter the correct login details. You Click <a href=\"login.php\">here</a> to try again.";
				exit;
			}
			header('Location:  logged.php');	
	}
}
?>

 

 

I need to implement this code into the the script above

<?php
if($login_incorrect){
     if(isset($_COOKIE['login'])){
          if($_COOKIE['login'] < 3){
               $attempts = $_COOKIE['login'] + 1;
               setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
          } else{
               echo 'You are banned for 10 minutes. Try again later';
          }
     } else{
          setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
     }
}
?>

Share this post


Link to post
Share on other sites

ATTN: This code is untested, so I can only hope it gets the job done.

ALSO: you should sanitize your username variable with trim() and mysql_real_escape_string(). Ex: mysql_real_escape_string(trim($_POST['username']));

 

<?php
//Includes the connection file that contains the MYSQL database information
include('connection.php');

// Checking if the submit button has been checked.
if(isset($_POST['submit'])){
	// If the username and password fields are empty then print and error.
	if(empty($_POST['username']) || empty($_POST['password'])){
		echo "Sorry you have to fill in all the forms!";
		exit;
	}

	$user = $_POST['username'];
	$pass = md5($_POST['password']);
	if(strlen($user) > '15')
	{
		echo "Your username is more than 15 characters. It needs to be less than 15.";
		exit;
	}

	// Selects the username and password from the users database.
	$query = "SELECT username, password FROM `users` WHERE username='$user'";

	$result = mysql_query($query);

	if(!$result) {
		echo "The query failed " . mysql_error();
	} else {
		// If the row vairble does not equal the pass variable then an error occurs.
		$row = mysql_fetch_object($result);
			if($row->password != $pass) {
				if(isset($_COOKIE['login'])){
					if($_COOKIE['login'] < 3){
						$attempts = $_COOKIE['login'] + 1;
						setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
						echo "I'm sorry, but your username and password don't match. Please go back and enter the correct login details. You Click <a href=\"login.php\">here</a> to try again.";
					} else{
						echo 'You\'ve had your 3 failed attempts at logging in and now are banned for 10 minutes. Try again later!';
					}
				} else {
					setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
				}
				exit;
			}
			header('Location: logged.php');	
	}
}
?>

Share this post


Link to post
Share on other sites

Awsome! It works. Had to add a couple of things but it works now!

 

Thanks heaps.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.