Jump to content

Failed logins

Xtremer360

By Xtremer360
in PHP Coding Help

 Share

Recommended Posts

Xtremer360 Advanced Member

Xtremer360

Posted
Posted

I made some changes and now for some reason it gets passed 6 for the field failedLogins. It should never get passed 5 for the field value and I'm also getting a null value for the output somewhere in this code and not sure where I'm missing an output.

 

 else {
                            
                            // Login unsuccessful
                            $query = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
                            $result = mysqli_query($dbc,$query);
                            $row = mysqli_fetch_array($result);
                            $failedLogins = $row['failedLogins'];
                            
                            $query = "UPDATE manager_users_logins_hacking SET failedLogins = '".$failedLogins."'+ 1 WHERE userID = '".$userID."'";
                            $result = mysqli_query($dbc,$query);
                            
                            // Calculate how many chances the user has to login before account gets locked
                            $chancesLeft = 5 - $failedLogins;
                            
                            // Take failed logins and compare it 
                            if ($failedLogins == 5) {
                                
                                // Retrieve IP Address of user trying to hack into account
                                $hackerIPAddress = $_SERVER['REMOTE_ADDR'];
                                
                                // Update database after account getting hacked and run query
                                $query = "UPDATE manager_users_logins_hacking SET lockDate = CURRENT_TIMESTAMP, hackerIPAddress = '".$hackerIPAddress."' WHERE userID = '".$userID."'";
                                $result = mysqli_query($dbc,$query);
                                
                                $query2 = "SELECT * FROM manager_users WHERE userID = '".$userID."'";
                                $result2 = mysqli_query($dbc,$query2);
                                $row = mysqli_fetch_array($result2);
                                $firstName = $row['firstName'];
                                $lastName = $row['lastName'];
                                
                                // Email user new registration account
                                function my_domain_name() {
                            		$my_domain = $_SERVER['HTTP_HOST'];
                            		$my_domain = str_replace('www.', '', $my_domain);
                            		return $my_domain;
                            	}
                                $sender_email = "noreply@kansasoutlawwrestling.com";
                                $reply_to = "noreply@kansasoutlawwrestling.com";
                                $recipient_email = $email; 
                                $email_subject = "KOW Manager Account Locked";
                        
                                $email_body = 'Hello '.$firstName.' '.$lastName.' You, or someone using your account at '.my_domain_name().', has attempted to hack into your account. If this is an error, ignore this email and you will be removed from our mailing list.<br /><br />Regards, '.my_domain_name().' Team';
                                
                                mailSomeone($email, $sender_email, $email_subject, $email_body);
                                
                                // Account locked error
                                $output = array('errorsExist' => true, 'message' => 'Your account is currently locked, we appologize for the inconvienence. This is a security messure implimented by to many failed login\'s! You must wait 10 minutes before you can login again!');         
                            
                            } else {
                                
                                // Invalid username and password error 
                                $output = array('errorsExist' => true, 'message' => 'Invalid Username and Password combination! You have ' .$chancesLeft.' chances left to login succesfully or the account will be locked!'); 
                                
                            }
                            
                        }

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

In that code you are reading the failed logins value (5), incrementing it (6), then checking to see if it's equal to 5.  Because of the order of operations, failed logins will show as 6 in the database when the account is finally locked.

 

Is that what you are seeing, or does it actually allow more login attempts afterwards?

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

Ok, the problem is the order in which you are doing things.  First you read the failed logins in:

 

Database: 5 failed logins

$failedLogins: 5 (read from database)

 

Then you update the database

 

Database: 6 failed logins

$failedLogins: 5

 

Then you check if there have been 5 failed logins

 

if ($failedLogins == 5) ...

 

So you need to do one of the following:

 

a) Don't update failed logins in the database once it has reached 5, or

b) Updated $failedLogins variable as well as updating the database.

Link to comment
Share on other sites
Xtremer360 Advanced Member

Xtremer360

Posted
  • Author
Posted

So I move this:

 

$query = "UPDATE manager_users_logins_hacking SET failedLogins = '".$failedLogins."'+ 1 WHERE userID = '".$userID."'";

                            $result = mysqli_query($dbc,$query);

 

Inside of:

 

if ($failedLogins == 5) {  statement

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

It should be moved into the "else" branch.  ie:

 

                            } else {

                                $query = "UPDATE manager_users_logins_hacking SET failedLogins = failedLogins + 1 WHERE userID = '".$userID."'";
                                $result = mysqli_query($dbc,$query);
                                
                                // Invalid username and password error 
                                $output = array('errorsExist' => true, 'message' => 'Invalid Username and Password combination! You have ' .$chancesLeft.' chances left to login succesfully or the account will be locked!'); 
                                
                            }

 

I have also changed it to use the database column itself when updating, rather than the value read from the database.  That is a little safer in case there are multiple failed login attempts at the same time, which may happen during a scripted hacking attack.

Link to comment
Share on other sites
Xtremer360 Advanced Member

Xtremer360

Posted
  • Author
Posted

I get 0 for the failedLogins echoed when the code gets executed the first time after a failed login attempt then it goes to 1 and so on.

 

<?php
else {
                            
                            // Login unsuccessful
                            $query = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
                            $result = mysqli_query($dbc,$query);
                            $row = mysqli_fetch_array($result);
                            $failedLogins = $row['failedLogins'];
                            echo $failedLogins;
                            echo "<br />";
                            // Calculate how many chances the user has to login before account gets locked
                            $chancesLeft = 5 - $failedLogins;
                            echo $failedLogins;

                            // Take failed logins and compare it 
                            if ($failedLogins == 5) {
                                
                                // Retrieve IP Address of user trying to hack into account
                                $hackerIPAddress = $_SERVER['REMOTE_ADDR'];
                                
                                // Update database after account getting hacked and run query
                                $query = "UPDATE manager_users_logins_hacking SET lockDate = CURRENT_TIMESTAMP, hackerIPAddress = '".$hackerIPAddress."' WHERE userID = '".$userID."'";
                                $result = mysqli_query($dbc,$query);
                                
                                $query2 = "SELECT * FROM manager_users WHERE userID = '".$userID."'";
                                $result2 = mysqli_query($dbc,$query2);
                                $row = mysqli_fetch_array($result2);
                                $firstName = $row['firstName'];
                                $lastName = $row['lastName'];
                                
                                // Email user new registration account
                                function my_domain_name() {
                            		$my_domain = $_SERVER['HTTP_HOST'];
                            		$my_domain = str_replace('www.', '', $my_domain);
                            		return $my_domain;
                            	}
                                $sender_email = "noreply@kansasoutlawwrestling.com";
                                $reply_to = "noreply@kansasoutlawwrestling.com";
                                $recipient_email = $email; 
                                $email_subject = "KOW Manager Account Locked";
                        
                                $email_body = 'Hello '.$firstName.' '.$lastName.' You, or someone using your account at '.my_domain_name().', has attempted to hack into your account. If this is an error, ignore this email and you will be removed from our mailing list.<br /><br />Regards, '.my_domain_name().' Team';
                                
                                mailSomeone($email, $sender_email, $email_subject, $email_body);
                                
                                // Account locked error
                                $output = array('errorsExist' => true, 'message' => 'Your account is currently locked, we appologize for the inconvienence. This is a security messure implimented by to many failed login\'s! You must wait 10 minutes before you can login again!');         
                            
                            } else {
                                
                                $query3 = "UPDATE manager_users_logins_hacking SET failedLogins = failedLogins + 1 WHERE userID = '".$userID."'";
                                $result3 = mysqli_query($dbc,$query3);
                                
                                // Invalid username and password error 
                                $output = array('errorsExist' => true, 'message' => 'Invalid Username and Password combination! You have ' .$chancesLeft.' chances left to login succesfully or the account will be locked!'); 
                                
                            }
                            
                        }
                ?>

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

Ok.  If you have 0 for failed logins the first time your code runs, then you set $chancesLeft = 5 - $failedLogins, what value is in $chancesLeft?  You can echo it out like this:

 

echo "chancesLeft: $chancesLeft <br>";

Link to comment
Share on other sites
Xtremer360 Advanced Member

Xtremer360

Posted
  • Author
Posted

At what point am i going to subtract one.

 

// Calculate how many chances the user has to login before account gets locked

                            $chancesLeft = 5 - $failedLogins;

                            echo "chancesLeft: $chancesLeft <br>";

Link to comment
Share on other sites
Xtremer360 Advanced Member

Xtremer360

Posted
  • Author
Posted

Something still isn't right because it shows up as 5 in the db for the failedLogins but it DOES NOT perform the steps inside the loop when it is == 5. Also it still shows 0 as the chances left which it shouldn't show that message it should be showing the "Your account is currently locked, we appologize for the inconvienence. This is a security messure implimented by to many failed login\'s! You must wait 10 minutes before you can login again!" message.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.