ifusion Posted August 27, 2008 Share Posted August 27, 2008 Hey, I've written a very basic php login script but my problem is i cant work out how to limit the user so they can only try and log in 3 times. And after 3 times then ban them for 10mins? I just need something basic. Should be easy for and expert Cheers! Quote Link to comment Share on other sites More sharing options...
Fadion Posted August 27, 2008 Share Posted August 27, 2008 You can use a cookie. Like this: <?php if($login_incorrect){ if(isset($_COOKIE['login'])){ if($_COOKIE['login'] < 3){ $attempts = $_COOKIE['login'] + 1; setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored } else{ echo 'You are banned for 10 minutes. Try again later'; } } else{ setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1 } } ?> Quote Link to comment Share on other sites More sharing options...
ifusion Posted August 27, 2008 Author Share Posted August 27, 2008 Cheers for that man. Is there anyway of making it in a loop form? Like a for or while loop? Quote Link to comment Share on other sites More sharing options...
Fadion Posted August 27, 2008 Share Posted August 27, 2008 You can add a loop wherever you want, but you have to explain what you need the loop for if you want suggestions. Quote Link to comment Share on other sites More sharing options...
revraz Posted August 27, 2008 Share Posted August 27, 2008 All the end user has to do is delete the cookie and start over. May be best to write the invalid attempt to a DB based on the username and check attempts made against that instead. Can also time stamp them to check the 10 min mark. Quote Link to comment Share on other sites More sharing options...
obsidian Posted August 27, 2008 Share Posted August 27, 2008 I'm with revraz on this one. I would store a table of "naughty" usernames with a count and timestamp of attempts. If there have been X number of minutes from the last attempt, delete the record, but if there have been 3 wrong attempts in the last X number of minutes, they cannot attempt again until the time has expired. Quote Link to comment Share on other sites More sharing options...
atomicrabbit Posted August 27, 2008 Share Posted August 27, 2008 agreed. The best way is to store the username that is attempted and maybe the IP address in a table. The IP address can be changed if they are on DSL by resetting their modem, but is not always the case. This way, you can block the username and/or the IP for X minutes. Quote Link to comment Share on other sites More sharing options...
ifusion Posted August 27, 2008 Author Share Posted August 27, 2008 Hey, I cant work out how to implement the cookie code into my script. Heres my code for my pages below: Login page <html> <head> <link rel="stylesheet" type="text/css" href="style.css"> <title>Login!</title> </head> <body> <div id="loginbox"> <form action="login2.php" method="post"> <label class="user" for="user"><strong>Username:</strong></label> <input type="text" name="username"><br><br> <label class="user" for="user"><strong>Password:</strong></label> <input type="password" name="password"><br><br> <input class="submit" type="submit" name="submit" value="Login!" id="submitbut" > </form> </div> <div id="underbox"><a class="reg" href="register.php">Register!</a><span class="text">Created by Kieran P</span></div> </body> </html> Login Check <?php //Includes the connection file that contains the MYSQL database information include('connection.php'); // Checking if the submit button has been checked. if(isset($_POST['submit'])){ // If the username and password fields are empty then print and error. if(empty($_POST['username']) || empty($_POST['password'])){ echo "Sorry you have to fill in all the forms!"; exit; } $user = $_POST['username']; $pass = $_POST['password']; $pass = md5($pass); if(strlen($user) > '15') { echo "Your username is more than 15 characters. It needs to be less than 15."; exit; } // Selects the username and password from the users database. $query = "SELECT username, password FROM `users` WHERE username='$user'"; $result = mysql_query($query); if(!$result) { echo "The query failed " . mysql_error(); } else { // If the row vairble does not equal the pass variable then an error occurs. $row = mysql_fetch_object($result); if($row->password != $pass) { echo "I'm sorry, but your username and password don't match. Please go back and enter the correct login details. You Click <a href=\"login.php\">here</a> to try again."; exit; } header('Location: logged.php'); } } ?> I need to implement this code into the the script above <?php if($login_incorrect){ if(isset($_COOKIE['login'])){ if($_COOKIE['login'] < 3){ $attempts = $_COOKIE['login'] + 1; setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored } else{ echo 'You are banned for 10 minutes. Try again later'; } } else{ setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1 } } ?> Quote Link to comment Share on other sites More sharing options...
ifusion Posted August 28, 2008 Author Share Posted August 28, 2008 Bump Quote Link to comment Share on other sites More sharing options...
Goldeneye Posted August 28, 2008 Share Posted August 28, 2008 ATTN: This code is untested, so I can only hope it gets the job done. ALSO: you should sanitize your username variable with trim() and mysql_real_escape_string(). Ex: mysql_real_escape_string(trim($_POST['username'])); <?php //Includes the connection file that contains the MYSQL database information include('connection.php'); // Checking if the submit button has been checked. if(isset($_POST['submit'])){ // If the username and password fields are empty then print and error. if(empty($_POST['username']) || empty($_POST['password'])){ echo "Sorry you have to fill in all the forms!"; exit; } $user = $_POST['username']; $pass = md5($_POST['password']); if(strlen($user) > '15') { echo "Your username is more than 15 characters. It needs to be less than 15."; exit; } // Selects the username and password from the users database. $query = "SELECT username, password FROM `users` WHERE username='$user'"; $result = mysql_query($query); if(!$result) { echo "The query failed " . mysql_error(); } else { // If the row vairble does not equal the pass variable then an error occurs. $row = mysql_fetch_object($result); if($row->password != $pass) { if(isset($_COOKIE['login'])){ if($_COOKIE['login'] < 3){ $attempts = $_COOKIE['login'] + 1; setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored echo "I'm sorry, but your username and password don't match. Please go back and enter the correct login details. You Click <a href=\"login.php\">here</a> to try again."; } else{ echo 'You\'ve had your 3 failed attempts at logging in and now are banned for 10 minutes. Try again later!'; } } else { setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1 } exit; } header('Location: logged.php'); } } ?> Quote Link to comment Share on other sites More sharing options...
ifusion Posted August 28, 2008 Author Share Posted August 28, 2008 Awsome! It works. Had to add a couple of things but it works now! Thanks heaps. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.