After 3 Fail Login Attemp User Block For 3Mins

[daikumi]

<html>
<head>
<title>LOG IN</title>
</head>
<?php
session_start();
$username = (@$_POST['username']);
$password = (@$_POST['password']);

$error['alert'] = '';
$error['username'] = '';
$error['password'] = '';
$input['username'] = '';
$input['password'] = '';
if (isset($_POST['submit']))
{
if ($_POST['username'] == '' || $_POST['password'] == '')
{
if ($_POST['username'] == '') {
$error['username'] = 'required'; }
if ($_POST['password'] == '') {
$error['password'] = 'required'; }
$error['alert'] = 'Please fill in required fields!';
$_POST['username'];
$_POST['password'];
include('v_login.php');

}
else
$error['alert'] = "Username or Password is incorrect";
{
if ($username&&$password)
{
$connect = mysql_connect("server","dbusername","dbpassword");
mysql_select_db("dbname") or die ("Couldn't find db");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");

$numrows= mysql_num_rows($query);
if($numrows!==0)
{
while($row=mysql_fetch_assoc($query))
{
$dbusername= $row['username'];
$dbpassword= $row['password'];
$activated= $row['activated'];
if($activated=='0')
{
header("location:not_active.php");
exit();
}

}
if($username==$dbusername&& md5($password)==$dbpassword)
{

header("location:member.php");
$_SESSION['username']=$username;
}
else
$error['alert'] = "Username or Password is incorrect";
include('v_login.php');
}
else
{
$error['alert'] = "Username or Password is incorrect";
include('v_login.php');
}

}
else
{
echo "";
}
}

}
else
{
include('v_login.php');
}

?>
</html>

 

I would like some codes for the login attemp that will block the user for 3mins if the user fail to input correct password in 3 times

Edited October 20, 2012 by daikumi

[premiso]

Welcome to the forums!

 

Let me greet you by saying, posting your code and then requesting us to add functionality to it rarely goes over well. What is better if posting the relevant sections of your code, and your attempts. If you need help with the logic of it, request that and we can point you in the right direction. If you want this done for you, I would suggest the freelance forums and offering some monetary value for the code.

 

Thanks!

[jcbones]

You need to create a session variable that stores the time on the third submission (which needs to also be tracked). When the difference between that time, and the current time is greater than 180 seconds(current - oldtime), then you can allow the next submission.

 

An example would be:

if((time() - $_SESSION['time_of_block']) > 180) {
//allow submission
} else {
echo 'You have attempted to login 3 times, please try again later!';
}

 

Now this will work on only this session, closing the browser, and reopening will let someone login before the 3 minutes is up. However, changing it from a session to a cookie would breach the "close and reopen" thing. To get even more secure, save this to the database in a new table, joining it to the user table on the checkin.

 

Now, if you would allow me to give you some pointers in your script, I would be happy to do so.

<html>
<head>
<title>LOG IN</title>
</head>
<?php
session_start(); //this call is required to be made before headers are sent to the browser, but it isn't in this case. Move it to the very top of the script.
$username = (@$_POST['username']); //don't suppress errors, verify that the index exists *isset() or empty()*.
$password = (@$_POST['password']); //why even set this at all, if you use the $_POST array for everything below?

$error['alert'] = '';
$error['username'] = '';
$error['password'] = '';
$input['username'] = '';
$input['password'] = '';
if (isset($_POST['submit']))
{
if ($_POST['username'] == '' || $_POST['password'] == '') //I'm not sure which is faster, this way or empty()?
{
if ($_POST['username'] == '') {
$error['username'] = 'required'; }
if ($_POST['password'] == '') {
$error['password'] = 'required'; }
$error['alert'] = 'Please fill in required fields!';
$_POST['username'];
$_POST['password'];
include('v_login.php');

}
else
$error['alert'] = "Username or Password is incorrect";
{
if ($username&&$password)//since these variables are not explicitly 'true' or 'false', I personally don't like using them in this context. I prefer empty(), as it returns true or false.
{
$connect = mysql_connect("server","dbusername","dbpassword"); //mysql libraries are out of date, I suggest using the prefered mysqli libraries.
mysql_select_db("dbname") or die ("Couldn't find db");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");

$numrows= mysql_num_rows($query);
if($numrows!==0)
{
while($row=mysql_fetch_assoc($query))
{
$dbusername= $row['username']; //to save on memory (which isn't a problem in small scripts), I suggest using the array indexes, instead of saving to a variable.
$dbpassword= $row['password']; //this might not make a difference on a script this size, but is a good coding habit to form.
$activated= $row['activated']; //and will save your hands from typing that little bit extra .
if($activated=='0')
{
header("location:not_active.php"); //headers are already sent, this should cause an error.
exit(); //bravo, this is a commonly missed necessity.
}

}
if($username==$dbusername&& md5($password)==$dbpassword)
{

header("location:member.php"); //headers are already sent, should error out.
$_SESSION['username']=$username;
}
else
$error['alert'] = "Username or Password is incorrect";
include('v_login.php');
}
else
{
$error['alert'] = "Username or Password is incorrect";
include('v_login.php');
}

}
else
{
echo ""; //no need to echo an empty string.
}
}

}
else
{
include('v_login.php');
}

?>
</html>

[daikumi]

Thank you for the reply sir jcbones. The codes I posted is already running. I just don't know how to add a login attempt in that code, but thnaks for correcting my code.

 

Sir premiso, sorry if I posted it like that Im still a beginner and I don't have much knowledge on php and Im running out of time :'(

[JohnTipperton]

well if you are running out of time try to check this page http://codereview.stackexchange.com/questions/7501/login-validation