annrose Posted September 27, 2012 Share Posted September 27, 2012 how to disable the user for 5 minut when he inputs the wrong pwd in only one time using php? iam trying but iam note access login page pls help... <?php session_start();?> <?php error_reporting(E_ALL ^ E_NOTICE);//hiding error using?> <?php require("connect.php"); $myusername=$_POST['username']; $mypassword=$_POST['password']; // let's say the block time is 5 mins $failded_waiting_time = 300; // 5 mins if(!isset($_SESSION['login_counter'])) $_SESSION['login_counter']=0; if($_SESSION['login_counter'] = 1) { $period = time()-$_SESSION['failed_login']; if($period < 500) { // do wat you want here like saying u need to wait // rediorect to login page header("location:head.php"); } // if period > $failded_waiting_time // reset time $_SESSION['failed_login'] = time(); } $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); if(isset($_POST['sub'])) { if (empty($myusername) || empty($mypassword)) { $problem = TRUE; } $sql="SELECT * FROM login WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1) { $_SESSION['myusername'] = $myusername; $_SESSION['mypassword'] = $mypassword; header("location:page.php"); exit; } else { $_SESSION['login_counter']=$_SESSION['login_counter']+1; // register the 1 failed acces time if($_SESSION['login_counter'] == 1) { $_SESSION['failed_login'] = time(); } header("location:index.php"); } } ?> <html> <head> </head> <body> <form method="post" action="login.php"> <table border="2"> <tr><td>userName</td><td><input type="text" name="username"/></td></tr> <tr><td>Password</td><td><input type="password" name="password"/></td></tr> <tr><td><input type="submit" name="sub" value="Login"></td></tr> </table> </form> </body> </html> login.php Quote Link to comment https://forums.phpfreaks.com/topic/268844-how-todisable-the-user-for-5minut-when-he-inputs-the-wrong-password-onetime-usinh-php-and-mysql/ Share on other sites More sharing options...
PFMaBiSmAd Posted September 27, 2012 Share Posted September 27, 2012 You cannot use session variables for the fail count and the lockout timer because all a person or bot script would need to do is 'drop' the current session id and they will get a new set of tries. You must store the fail count and lockout time in a database. Quote Link to comment https://forums.phpfreaks.com/topic/268844-how-todisable-the-user-for-5minut-when-he-inputs-the-wrong-password-onetime-usinh-php-and-mysql/#findComment-1381260 Share on other sites More sharing options...
Christian F. Posted September 27, 2012 Share Posted September 27, 2012 A few more comments: Please use the [code][/code] tags around your code, as it helps make both your post and your code a lot easier to read. I strongly recommend that you read this article about secure login systems. Storing plain text password is very bad. Don't open and close the PHP mode for each line, as you've done at the start. One open tag and one closing tag is enough for the whole PHP code. Quite easy to introduce header errors due to unnoticed whitespace otherwise. You're not properly validating the input, nor are you doing anything with the $problem variable. If a validation error is encountered, stop trying to log in and show the user the form again. With an error message and the username pre-filled. stripslashes () should be completely unnecessary and doesn't do anything, if you have magic_quotes turned on it's far better to turn it off instead. At least check for the magic quotes status, before using stripslashes (). You're not actually hiding the errors, but displaying them with the code in line 2. You have three header () calls which redirect the user, but only one of them has the required "die ()" afterwards. I'd actually recommend you to put the login-check in a function. That way you can easily abort only the login-part if an error is encountered, while still allowing the rest of the code to parse and show the form (again). Quote Link to comment https://forums.phpfreaks.com/topic/268844-how-todisable-the-user-for-5minut-when-he-inputs-the-wrong-password-onetime-usinh-php-and-mysql/#findComment-1381292 Share on other sites More sharing options...
Psycho Posted September 27, 2012 Share Posted September 27, 2012 Aside from the problems noted above, but to your problem: If you want to restrict login based upon failed attempts you need to query the record by ONLY the username. Also, I would add a new field to the table called "last_login_failure". Then when the user attempts to login follow this approach: 1. If no record is returned then the username is unknown so just fail login. You can't really set a value for any user since you don't know which user to apply it to. 2. Assuming a record was returned, check the last_login_failure time (if it exists). If that time was less than 5 minutes fail the login. But do not update the last_login_failure. If you do, then if the user waitetd 4:50 seconds thinking the 5 minutes had expired the clock would be reset. 3. Assuming the last_login_failure was NULL or more than 5 minutes ago, then you check if the password is correct. If not, fail the login and set the last_login_failure datetime value. If the password is correct, then just log the user in. Using the above method you only need to set a value for last_login_failure when a username/password match is incorrect. You don't need to remove the value after a successful login. Quote Link to comment https://forums.phpfreaks.com/topic/268844-how-todisable-the-user-for-5minut-when-he-inputs-the-wrong-password-onetime-usinh-php-and-mysql/#findComment-1381325 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.