[SOLVED] I am trying to disable a user from logging in after 3 or more failed_ log ins

[cluce]

I am trying to disable a user from logging in if they have 3 or more failed_ login attempts stored in their record but the code is not displaying my message. Although it still counts the unsuccessful attempts and logs them in with correct username and password.

 

can someomne see where the error is. I would appreciate it.

 

here is my code....

<?php
session_start();

//check for required fields from the form
if ((!isset($_POST["username"])) || (!isset($_POST["password"]))) {
	header("Location: user_logon.html");
exit;
}

//connect to server and select database
$mysqli = mysqli_connect("localhost", "root", "", "test");

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM auth_users WHERE username = '".$_POST["username"]."' AND password = PASSWORD('".$_POST["password"]."')";

$result = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

//gets number of unsuccessful logins
$attempts = mysqli_query($mysqli,"SELECT failed_logins FROM auth_users WHERE username = '".$_POST["username"]."'");

//checks if user is disabled 
if ($attempts >= 3){
echo ("login disabled");

} else {

//get the number of rows in the result set; should be 1 if a match
if (mysqli_num_rows($result) == 1) {

//if authorized, get the values of f_name l_name
while ($info = mysqli_fetch_array($result)) {
	$f_name = stripslashes($info['f_name']);
	$l_name = stripslashes($info['l_name']);
}

//set authorization cookie
setcookie("auth", "1", 0, "/", "yourdomain.com", 0);
$_SESSION['usersname'] = $f_name . " " . $l_name;

//record last login
    $sql2 = "UPDATE auth_users SET last_login=NOW() WHERE username = '".$_POST["username"]."'";   
     mysqli_query($mysqli,$sql2);

//clears failed logins
$sql3 = "UPDATE auth_users SET failed_logins = 0 WHERE username = '".$_POST["username"]."'";
mysqli_query($mysqli, $sql3);

//directs authorized user
header("Location: logon.php");

} else {

//redirect back to login form if not authorized
$_SESSION['error'] =  "<font color='red'>invalid username and/or password combination</font>"; 
$sql4 = "UPDATE auth_users SET failed_logins = failed_logins + 1 WHERE username = '".$_POST["username"]."'"; 
    mysqli_query($mysqli,$sql4);
  
header("Location: user_logon.php");
exit;
}
}
?>

[obsidian]

This is your issue: you are treating the following line as though it is actually returning a value rather then a link resource from your query. You still have to extract the number of attempts from that variable in whatever format you have it stored.

<?php
// This...
$attempts = mysqli_query($mysqli,"SELECT failed_logins FROM auth_users WHERE username = '".$_POST["username"]."'");

// Should be something like this...
$sql = mysqli_query($mysqli,"SELECT failed_logins FROM auth_users WHERE username = '".$_POST["username"]."'");
if (mysql_num_rows($sql) == 1) {
$attempts = mysql_result($sql, 0, 'failed_logins');
} else {
$attempts = 0;
}
?>

[cluce]

now I have these....???

 

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, string given in C:\wamp\www\userlogin.php on line 21

 

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\userlogin.php:21) in C:\wamp\www\userlogin.php on line 63

 

 

<?php
session_start();

//check for required fields from the form
if ((!isset($_POST["username"])) || (!isset($_POST["password"]))) {
	header("Location: user_logon.html");
exit;
}

//connect to server and select database
$mysqli = mysqli_connect("localhost", "root", "", "test");

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM auth_users WHERE username = '".$_POST["username"]."' AND password = PASSWORD('".$_POST["password"]."')";

$result = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

//gets number of unsuccessful logins
// Should be something like this...
$sql1 = mysqli_query($mysqli,"SELECT failed_logins FROM auth_users WHERE username = '".$_POST["username"]."'");
if (mysqli_num_rows($sql1) == 1) {
$attempts = mysql_result($sql1, 0, 'failed_logins');
} else {
$attempts = 0;
}
//checks if user is disabled 
if ($attempts >= 3){
echo ("login disabled");

} else {

//get the number of rows in the result set; should be 1 if a match
if (mysqli_num_rows($result) == 1) {

//if authorized, get the values of f_name l_name
while ($info = mysqli_fetch_array($result)) {
	$f_name = stripslashes($info['f_name']);
	$l_name = stripslashes($info['l_name']);
}

//set authorization cookie
setcookie("auth", "1", 0, "/", "yourdomain.com", 0);
$_SESSION['usersname'] = $f_name . " " . $l_name;

//record last login
    $sql2 = "UPDATE auth_users SET last_login=NOW() WHERE username = '".$_POST["username"]."'";   
     mysqli_query($mysqli,$sql2);

//clears failed logins
$sql3 = "UPDATE auth_users SET failed_logins = 0 WHERE username = '".$_POST["username"]."'";
mysqli_query($mysqli, $sql3);

//directs authorized user
header("Location: logon.php");

} else {

//redirect back to login form if not authorized
$_SESSION['error'] =  "<font color='red'>invalid username and/or password combination</font>"; 
$sql4 = "UPDATE auth_users SET failed_logins = failed_logins + 1 WHERE username = '".$_POST["username"]."'"; 
    mysqli_query($mysqli,$sql4);
  
header("Location: user_logon.php");
exit;
}
}
?>

[chigley]

<?php
session_start();

//check for required fields from the form
if ((!isset($_POST["username"])) || (!isset($_POST["password"]))) {
	header("Location: user_logon.html");
exit;
}

//connect to server and select database
$mysqli = mysqli_connect("localhost", "root", "", "test");

//create and issue the query
$sql = mysql_query("SELECT username, f_name, l_name FROM auth_users WHERE username = '".$_POST["username"]."' AND password = PASSWORD('".$_POST["password"]."')");

$result = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

//gets number of unsuccessful logins
// Should be something like this...
$sql1 = mysqli_query($mysqli,"SELECT failed_logins FROM auth_users WHERE username = '".$_POST["username"]."'");
if (mysqli_num_rows($sql) == 1) {
$attempts = mysql_result($sql, 0, 'failed_logins');
} else {
$attempts = 0;
}
//checks if user is disabled 
if ($attempts >= 3){
echo ("login disabled");

} else {

//get the number of rows in the result set; should be 1 if a match
if (mysqli_num_rows($result) == 1) {

//if authorized, get the values of f_name l_name
while ($info = mysqli_fetch_array($result)) {
	$f_name = stripslashes($info['f_name']);
	$l_name = stripslashes($info['l_name']);
}

//set authorization cookie
setcookie("auth", "1", 0, "/", "yourdomain.com", 0);
$_SESSION['usersname'] = $f_name . " " . $l_name;

//record last login
    $sql2 = "UPDATE auth_users SET last_login=NOW() WHERE username = '".$_POST["username"]."'";   
     mysqli_query($mysqli,$sql2);

//clears failed logins
$sql3 = "UPDATE auth_users SET failed_logins = 0 WHERE username = '".$_POST["username"]."'";
mysqli_query($mysqli, $sql3);

//directs authorized user
header("Location: logon.php");

} else {

//redirect back to login form if not authorized
$_SESSION['error'] =  "<font color='red'>invalid username and/or password combination</font>"; 
$sql4 = "UPDATE auth_users SET failed_logins = failed_logins + 1 WHERE username = '".$_POST["username"]."'"; 
    mysqli_query($mysqli,$sql4);
  
header("Location: user_logon.php");
exit;
}
}
?>