limit users to only 3 logins using php mysql ;ogin system?

[rgriffin3838]

i have a php mysql login system in place and working. what i want to do is limit the number of time a user can log in. so what i did was i created another column in my database called lognmbr. this number increments each time a member logs in. i have all this working. but i cant figure out how to write the query to look at that number and if that number is >= 3 then that person is denied login. i currently have my code writen this way which does not work.

 

this file is named checklogin.php i have changed the text color to green in the portion i need help with.

 

<?php

I have code here to connect to my database but i left it out for posting.

// Define $myusername and $mypassword

$myusername=$_POST['myusername'];

$mypassword=$_POST['mypassword'];

 

// encrypt password

$encrypted_mypassword=md5($mypassword);

 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";

$result=mysql_query($sql);

 

// To protect MySQL injection (more detail about MySQL injection)

$myusername = stripslashes($myusername);

$mypassword = stripslashes($mypassword);

$myusername = mysql_real_escape_string($myusername);

$mypassword = mysql_real_escape_string($mypassword);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

 

if($count==1)

{

 

$query="UPDATE members SET nmbrlogin=nmbrlogin+1 WHERE username='$myusername' and password='$encrypted_mypassword'";

$result1=mysql_query($query);

 

$query1="SELECT nmbrlogin FROM members WHERE username='$myusername' and password='$encrypted_mypassword'";

$resulta=mysql_query($query1);

 

$lognmbr=mysql_fetch_field($resulta);

// Register $myusername, $mypassword and redirect to file "tilt_activate.php"

session_register("myusername");

session_register("mypassword");

 

if($lognmbr<4)

{

header("location:URL.php");

}

else

{

echo "Sorry you have already logged in 3 times. If this is a mistake please contact customer support.";

}

}

else

{

echo "Wrong Username or Password";

}

ob_end_flush();

?>

 

Anyone have an idea?

[fenway]

Just check the counter in the WHERE clause... not this is the best way.

[DavidAM]

First, you need to review your code.  You have a block to "protect MySQL injection" but it is AFTER you have already sent the POSTed data to the database.  Kinda like closing the barn door after the horse got out.

 

For the check you asked, you have already seleted the login counter (using SELECT *) so I would test it like this:

if($count==1) {  // Found Only one record with user/password - cool
  $row = mysql_fetch_array($result);
  if ($row['nmbrlogin'] >= 3) {
    echo "Sorry you have already logged in 3 times. If this is a mistake please contact customer support.";
  } else {
    // I wouldn't send the password again, but that assumes username is unique (which it should be)
    $query="UPDATE members SET nmbrlogin=nmbrlogin+1 WHERE username='$myusername'";
    $result1=mysql_query($query);

    // Register $myusername, $mypassword and redirect to file "tilt_activate.php"
    session_register("myusername");
    // I would NOT put the password in the session.  Sessions are stored in a file system somewhere and are probably world readable.
    //session_register("mypassword");

    header("location:URL.php");
    exit(); // Don't load the rest of the page
  }
} else {
  echo "Wrong Username or Password";
}

You could do it in the WHERE clause of the SELECT, but then you can't tell the user why you rejected their login.

[ghostcoder]

SELECT *, (SELECT nmbrlogin FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword ) AS total_logins FROM $tbl_name 
WHERE username='$myusername' and password='$encrypted_mypassword;

 

Extract the results. Check the $total_logins result for the number of existing logins. Then you can deny access and let the user know it's because they had x number of logins already.