limited attempts for login and block a users account for a specific amout of time

[lemeck]

good day i have a problem with creating login attempts that will block an existing account from logging in if the user input incorrect details for 5 attempts i have an ajax and a database for it

i tried making a catch for attempts that has a value of 0. then every fail it gives + 1 but it won't add more than ones because i think the ajax command refreshes it again so the attempts recieves 1 loop only.

the login part is working but i can't make the attempts work and do you have any idea how to block the user if attempts is greater than 5 for 15 mins i have search a code for it but it's last used in 2007 so some of the code can't be read by php

here's my ajax code:

on the login page here's the ajax code:

<script type="text/javascript">
function validLogin(){
      var uname=$('#uname').val();
      var password=$('#password').val();
	  var attempts=0;
	  
      var dataString = 'uname='+ uname + '&password='+ password;
      $("#flash").show();
      $("#flash").fadeIn(400).html('<img src="images/loading.gif" />');
      $.ajax({
      type: "POST",
      url: "login_processed.php",
      data: dataString,
      cache: false,
      success: function(result){
               var result=trim(result);
               $("#flash").hide();
               if(result=='correct0'){
                     window.location='user_home.php';
					 }
				else if(result=='correct1'){
                     window.location='admin_home.php';
               }else{
                     $("#errorMessage").html(result);
					 		 $attempts++;
               }
			  
      }
      });
}
 
function trim(str){
     var str=str.replace(/^\s+|\s+$/,'');
     return str;
}
</script>

and here's the login_process.php code for processing of login where it catch the results and errors.

<?php
session_start();
include_once('includes/dbConnect.php');
$message=array();
$attempts=0;
if(isset($_POST['uname']) && !empty($_POST['uname'])){
    $uname=mysql_real_escape_string($_POST['uname']);
}else{
    $message[]='Please enter username';
}

if(isset($_POST['password']) && !empty($_POST['password'])){
    $password=mysql_real_escape_string($_POST['password']);
}else{
    $message[]='Please enter password';
	
}

$countError=count($message);

if($countError > 0){
          $attempts++;
  echo $attempts;
	 for($i=0;$i<$countError;$i++){
              echo ucwords($message[$i]).'</br>';

	 }

}


else{
    $query="select * from user where uname='$uname' and BINARY password='$password'";
	
    $res=mysql_query($query);
    $checkUser=mysql_num_rows($res);
	$row = mysql_fetch_assoc($res);
    if($checkUser > 0){
         $_SESSION['LOGIN_STATUS']=true;
         $_SESSION['UNAME']=$uname;
         echo 'correct'.$row['type'];
    }else{
         echo ucwords('Incorrect Username or Password');

    }
}
?>

any help would be really appreciated. and can you teach me for the login attempts blocking the user because if i block the ip of a user that have wrong attempts it can affect widely the place where a person login for example a computer shop. thanks . sorry i'm just a beginner 

 

here's my tables column for the users 

 

 

 

 

 

 

 

 

 

  Email Department uname password type LastName FirstName MI id 

 

[sKunKbad]

You'll need to store the failed login attempts in your database, then check the database to see if a site visitor has too many.

 

1) When the login page is presented, check the IP address to see if you should even show the form.

 

2) When the form is submitted, check if IP or username or email address is blocked for too many login attempts.

 

3) When login page is presented or form submitted, delete stale login attempts (this should actually be done first)