Jump to content

How Todisable The User For 5Minut When He Inputs The Wrong Password Onetime Usinh Php And Mysql ...


Recommended Posts

how to disable the user for 5 minut when he inputs the wrong pwd in only one time using php?

iam trying but iam note access login page pls help...

<?php session_start();?>

<?php error_reporting(E_ALL ^ E_NOTICE);//hiding error using?>

<?php

require("connect.php");

$myusername=$_POST['username'];

$mypassword=$_POST['password'];

// let's say the block time is 5 mins

$failded_waiting_time = 300; // 5 mins

if(!isset($_SESSION['login_counter'])) $_SESSION['login_counter']=0;

if($_SESSION['login_counter'] = 1)

{

$period = time()-$_SESSION['failed_login'];

if($period < 500) {

// do wat you want here like saying u need to wait

// rediorect to login page

header("location:head.php");

}

// if period > $failded_waiting_time

// reset time

$_SESSION['failed_login'] = time();

}

$myusername = stripslashes($myusername);

$mypassword = stripslashes($mypassword);

$myusername = mysql_real_escape_string($myusername);

$mypassword = mysql_real_escape_string($mypassword);

 

if(isset($_POST['sub']))

{

if (empty($myusername) || empty($mypassword))

{

$problem = TRUE;

}

 

 

 

$sql="SELECT * FROM login WHERE username='$myusername' and password='$mypassword'";

$result=mysql_query($sql);

$count=mysql_num_rows($result);

 

if($count==1)

{

$_SESSION['myusername'] = $myusername;

$_SESSION['mypassword'] = $mypassword;

 

header("location:page.php");

exit;

}

else

{

$_SESSION['login_counter']=$_SESSION['login_counter']+1;

// register the 1 failed acces time

if($_SESSION['login_counter'] == 1) {

$_SESSION['failed_login'] = time();

}

header("location:index.php");

}

}

 

?>

<html>

<head>

</head>

<body>

<form method="post" action="login.php">

<table border="2">

<tr><td>userName</td><td><input type="text" name="username"/></td></tr>

<tr><td>Password</td><td><input type="password" name="password"/></td></tr>

<tr><td><input type="submit" name="sub" value="Login"></td></tr>

 

</table>

 

</form>

</body>

 

</html>

login.php

You cannot use session variables for the fail count and the lockout timer because all a person or bot script would need to do is 'drop' the current session id and they will get a new set of tries. You must store the fail count and lockout time in a database.

A few more comments:

  • Please use the [code][/code] tags around your code, as it helps make both your post and your code a lot easier to read.
  • I strongly recommend that you read this article about secure login systems. Storing plain text password is very bad.
  • Don't open and close the PHP mode for each line, as you've done at the start. One open tag and one closing tag is enough for the whole PHP code. Quite easy to introduce header errors due to unnoticed whitespace otherwise.
  • You're not properly validating the input, nor are you doing anything with the $problem variable. If a validation error is encountered, stop trying to log in and show the user the form again. With an error message and the username pre-filled.
  • stripslashes () should be completely unnecessary and doesn't do anything, if you have magic_quotes turned on it's far better to turn it off instead. At least check for the magic quotes status, before using stripslashes ().
  • You're not actually hiding the errors, but displaying them with the code in line 2.
  • You have three header () calls which redirect the user, but only one of them has the required "die ()" afterwards.

 

I'd actually recommend you to put the login-check in a function. That way you can easily abort only the login-part if an error is encountered, while still allowing the rest of the code to parse and show the form (again).

Aside from the problems noted above, but to your problem:

 

If you want to restrict login based upon failed attempts you need to query the record by ONLY the username. Also, I would add a new field to the table called "last_login_failure". Then when the user attempts to login follow this approach:

 

1. If no record is returned then the username is unknown so just fail login. You can't really set a value for any user since you don't know which user to apply it to.

2. Assuming a record was returned, check the last_login_failure time (if it exists). If that time was less than 5 minutes fail the login. But do not update the last_login_failure. If you do, then if the user waitetd 4:50 seconds thinking the 5 minutes had expired the clock would be reset.

3. Assuming the last_login_failure was NULL or more than 5 minutes ago, then you check if the password is correct. If not, fail the login and set the last_login_failure datetime value. If the password is correct, then just log the user in.

 

Using the above method you only need to set a value for last_login_failure when a username/password match is incorrect. You don't need to remove the value after a successful login.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.