469,271 Members | 1,000 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,271 developers. It's quick & easy.

How to limit login attemps?

I'm in the process of making a website, I know the basics of PHP etc.. and have a page where a user has to sign up and activiate thier account via e-mail, when they clikc the link it change a field in the MySQL database from 0 to 1. If it remains 0 the user cannot login in.

What I want to do, is set it up so if the password is wrong say 5 times then this activiation number is updated and changed to 0 again. How would be best to do this? If statement? While loop or what??

I have attached the work in progress of the code and any help would be appreciated ASAP!

Expand|Select|Wrap|Line Numbers
  1. <?php
  2.  
  3.     include "dbconnect.php";
  4.     session_start();
  5.        $email =$_POST["email"]; 
  6.        $password =$_POST["password"];
  7.        $password2 = md5("$password"); 
  8.        $activation = 1; 
  9.        $i=0;
  10.         if ($i < 5) 
  11.         {
  12.  
  13.  
  14.  
  15.  
  16.        if (empty($email) or empty($password)) 
  17.            {
  18.            $_SESSION["message"] = "Must enter your E-mail and Password " ;
  19.            header("Location: login.php"); //This sets the redirection information
  20.             //Ends the script and redirects to above
  21.            } 
  22.  
  23.           $query = "SELECT * FROM clients_details WHERE email = '$email' AND  password = '$password2' AND activation = '$activation' ";
  24.           $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
  25.         // see if any rows were returned 
  26.         if (mysql_num_rows($result) > 0) 
  27.          { 
  28.            $_SESSION["authenticatedUser"] = $email;
  29.              // Relocate to the logged-in page
  30.             header("Location: usercontrol.php");
  31.          } 
  32.         else  
  33.          {
  34.              $i = + 1;
  35.            $_SESSION["message"] = "Could not login as $email " ;
  36.            header("Location: login.php");
  37.  
  38.  
  39.          }
  40.  
  41.         }
  42.         else {
  43.         $query = " UPDATE clients_details SET activation = '0' WHERE email= '$email' ";
  44.             $_SESSION["message"] = "$email your account has been blocked, please contact the systems administrator! " ;
  45.                header("Location: login.php"); 
  46.  }
  47.  
  48.          exit;
  49. ?>
Jan 6 '10 #1
17 9243
Frinavale
9,735 Expert Mod 8TB
You may consider adding a time window for the login attempts...for example, 5 minutes or something.

You could use session to keep track of the number of times a user has attempted to log in from a particular browser. Or you could use a hiddenfield (which is client side so this could be reset and probably shouldn't be depended on). Or you could use a cookie (also stored client side)...or you could store this number in the database.....

-Frinny
Jan 6 '10 #2
I have a timeout session in place, whcih logs out the user after 600 seconds, but I thought it would be a simple if statement. Stating the password is wrong of the 5th time then update the database, make the activiation code to 0 and therefore blocking the account.

This is some help that has been suggested to me:

Looks like $i will be re-set to 0 each time the script is run.
May need to create a session variable counter and pass it back and forward between the form and script.

Any help would be appreciated

thanks
Jan 7 '10 #3
Frinavale
9,735 Expert Mod 8TB
Well, when the user clicks the "login" button, you should authenticate the password. If the password is wrong then increment the variable in session that keeps track of the number of times that that the user has provided an invalid password. If an invalid password has been provided incorrectly 5 times, then preform the necessary steps to deactivate the account. (You need to use if-statements to accomplish this).

-Frinny
Jan 7 '10 #4
Would it be possible for you to include some coding for an example please
Jan 7 '10 #5
Frinavale
9,735 Expert Mod 8TB
The $_POST is array of variables passed to the current script via the HTTP POST method. If your submit button was clicked then your submit button will be part of the post.


The isset method determines if a variable is set and is not NULL. If the submit is part of the array of variables passed in to the current script, then it will not be null and you know the user clicked your submit button.

Expand|Select|Wrap|Line Numbers
  1. if (isset($_POST['Submit'])) {
  2.   //In here check if the user has provided the correct password
  3.   //If the user has not provided the correct password:
  4.   //  grab the Session variable for tracking the number of times 
  5.   //  the user has provided an incorrect password and increment the counter
  6.   // If the user has provided an incorrect password more than 5 times then:
  7.   //  do what is necessary to  deactivate the account
  8. }
Jan 7 '10 #6
would this go on the login.php page or loginaction.php page tho?
Jan 7 '10 #7
Frinavale
9,735 Expert Mod 8TB
You never mentioned either of these pages....
What is the purpose of each page?
Are they combined? Do you have more than one submit on the same page?
Jan 7 '10 #8
Sorry my mistake, login.php takes the user details e-mail and password via a input form and then when the button submit is clicked. The data is posted to loginaction.php the code i posted earlier.
Jan 7 '10 #9
Frinavale
9,735 Expert Mod 8TB
Retrieve $i from session instead of setting it to 0.
Before you exit the page be sure to store $i in session so that you can retrieve it next time the page is submitted to check if the user has provided an invalid password more 5 times...
Jan 7 '10 #10
Nope still cant get it to work grr!!
Jan 7 '10 #11
Frinavale
9,735 Expert Mod 8TB
Ok post what you have :)
I'm not really a PhP expert but I think I can still give you a hand.

-Frinny
Jan 7 '10 #12
login.php
Expand|Select|Wrap|Line Numbers
  1. <h2>Login</h2>
  2. <?php 
  3.   // Include the formatted error message
  4.   if (isset($_SESSION['message']))
  5.     echo 
  6.       "<h4>".$_SESSION['message']." and ".$_SESSION['count']. "</h4>";
  7.     // Generate the login <form> layout
  8.     if (isset($_SESSION['message']))
  9.       echo
  10.         "<h4>".$_SESSION['count']. "</h4>";
  11. ?> 
  12. <!-- InstanceEndEditable -->
  13. <div class="preparation">
  14.   <!-- InstanceBeginEditable name="paragraph" -->
  15.  
  16.   <form action="loginaction.php" method="post" name="login" target="_self">
  17.     <table class="tablelogin" >
  18.       <tr>
  19.         <td>
  20.           <label for="email">E-mail Address</label>                                
  21.         </td>
  22.         <td>
  23.           <input type="text" name="email" id="email" />                                
  24.         </td>
  25.       </tr>
  26.       <tr>
  27.         <td>
  28.           <label for="password">Password</label>                                
  29.         </td>
  30.       <td>
  31.         <input type="password" name="password" id="password" />                                
  32.         </td>
  33.       </tr>
  34.       <tr>
  35.         <td>&nbsp;
  36.         </td>
  37.         <td>&nbsp;
  38.         </td>
  39.       </tr>
  40.       <tr>
  41.         <td>
  42.         </td>
  43.         <td>
  44.           <input type="hidden" name="count" id="count" value="1" /> 
  45.           <input type="reset" name="reset" id="reset" value="Clear" />   
  46.           <input type="submit" name="submit" id="submit" value="Log in" />    
  47.         </td>
  48.       </tr>
  49.     </table>
  50.   </form>  
loginaction.php
Expand|Select|Wrap|Line Numbers
  1. <?php
  2.  
  3.     include "dbconnect.php";
  4.     session_start();
  5.        $email =$_POST["email"]; 
  6.        $password =$_POST["password"];
  7.        $password2 = md5("$password"); 
  8.        $activation = 1; 
  9.  
  10.         if ($i < 5) 
  11.         {
  12.             $i=0;
  13.  
  14.  
  15.  
  16.  
  17.  
  18.        if (empty($email) or empty($password)) 
  19.            {
  20.            $_SESSION["message"] = "Must enter your E-mail and Password " ;
  21.            header("Location: login.php"); //This sets the redirection information
  22.             //Ends the script and redirects to above
  23.            } 
  24.  
  25.           $query = "SELECT * FROM clients_details WHERE email = '$email' AND  password = '$password2' AND activation = '$activation' ";
  26.           $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
  27.         // see if any rows were returned 
  28.         if (mysql_num_rows($result) > 0) 
  29.          { 
  30.            $_SESSION["authenticatedUser"] = $email;
  31.              // Relocate to the logged-in page
  32.             header("Location: usercontrol.php");
  33.          } 
  34.         else  
  35.          {
  36.              $_SESSION["count"] = $i + 1 ;
  37.            $_SESSION["message"] = "Could not login as $email " ;
  38.            header("Location: login.php");
  39.  
  40.  
  41.          }
  42.              $_SESSION["count"] = $i + 1 ;
  43.         }
  44.         else {
  45.         $query = " UPDATE clients_details SET activation = '0' WHERE email= '$email' ";
  46.             $_SESSION["message"] = "$email your account has been blocked, please contact the systems administrator! " ;
  47.                header("Location: login.php"); 
  48.              }
  49.  
  50.  
  51.          exit;
  52. ?>
Thats my coding to the point I'm ripping my hair out :p gonna go get a tea and have 5 mins away from the pc. Then have another look at it, hopefully between us we'll figure it out :p
Jan 7 '10 #13
Frinavale
9,735 Expert Mod 8TB
Please post code in [code] tags. It makes things a lot easier.

On line 12 in loginaction.php..shouldn't you be setting $i = $_SESSION['count']?
And, shouldn't this be done before your if statement on line 10?
Jan 7 '10 #14
Yeh I've just made them alterations, the error message now pops up on the on 6th attempt, but it isn't updating the database. Any ideas why?
Jan 7 '10 #15
Frinavale
9,735 Expert Mod 8TB
Well it looks like your SQL query is right but it looks like you aren't actually updating the table? This is probably why.

-Frinny
Jan 7 '10 #16
oh :s can u explain please?
Jan 7 '10 #17
Firgued it out i was missing "mysql_query" from the front of update, thanks so much for your help.
Jan 7 '10 #18

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

3 posts views Thread by Gary | last post: by
3 posts views Thread by tchangmian | last post: by
2 posts views Thread by matias.cornejo | last post: by
reply views Thread by parun | last post: by
3 posts views Thread by =?Utf-8?B?QmlsbHkgWmhhbmc=?= | last post: by
reply views Thread by zhoujie | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.