472,334 Members | 2,214 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,334 software developers and data experts.

How to limit login attemps?

I'm in the process of making a website, I know the basics of PHP etc.. and have a page where a user has to sign up and activiate thier account via e-mail, when they clikc the link it change a field in the MySQL database from 0 to 1. If it remains 0 the user cannot login in.

What I want to do, is set it up so if the password is wrong say 5 times then this activiation number is updated and changed to 0 again. How would be best to do this? If statement? While loop or what??

I have attached the work in progress of the code and any help would be appreciated ASAP!

Expand|Select|Wrap|Line Numbers
  1. <?php
  2.  
  3.     include "dbconnect.php";
  4.     session_start();
  5.        $email =$_POST["email"]; 
  6.        $password =$_POST["password"];
  7.        $password2 = md5("$password"); 
  8.        $activation = 1; 
  9.        $i=0;
  10.         if ($i < 5) 
  11.         {
  12.  
  13.  
  14.  
  15.  
  16.        if (empty($email) or empty($password)) 
  17.            {
  18.            $_SESSION["message"] = "Must enter your E-mail and Password " ;
  19.            header("Location: login.php"); //This sets the redirection information
  20.             //Ends the script and redirects to above
  21.            } 
  22.  
  23.           $query = "SELECT * FROM clients_details WHERE email = '$email' AND  password = '$password2' AND activation = '$activation' ";
  24.           $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
  25.         // see if any rows were returned 
  26.         if (mysql_num_rows($result) > 0) 
  27.          { 
  28.            $_SESSION["authenticatedUser"] = $email;
  29.              // Relocate to the logged-in page
  30.             header("Location: usercontrol.php");
  31.          } 
  32.         else  
  33.          {
  34.              $i = + 1;
  35.            $_SESSION["message"] = "Could not login as $email " ;
  36.            header("Location: login.php");
  37.  
  38.  
  39.          }
  40.  
  41.         }
  42.         else {
  43.         $query = " UPDATE clients_details SET activation = '0' WHERE email= '$email' ";
  44.             $_SESSION["message"] = "$email your account has been blocked, please contact the systems administrator! " ;
  45.                header("Location: login.php"); 
  46.  }
  47.  
  48.          exit;
  49. ?>
Jan 6 '10 #1
17 9458
Frinavale
9,735 Expert Mod 8TB
You may consider adding a time window for the login attempts...for example, 5 minutes or something.

You could use session to keep track of the number of times a user has attempted to log in from a particular browser. Or you could use a hiddenfield (which is client side so this could be reset and probably shouldn't be depended on). Or you could use a cookie (also stored client side)...or you could store this number in the database.....

-Frinny
Jan 6 '10 #2
I have a timeout session in place, whcih logs out the user after 600 seconds, but I thought it would be a simple if statement. Stating the password is wrong of the 5th time then update the database, make the activiation code to 0 and therefore blocking the account.

This is some help that has been suggested to me:

Looks like $i will be re-set to 0 each time the script is run.
May need to create a session variable counter and pass it back and forward between the form and script.

Any help would be appreciated

thanks
Jan 7 '10 #3
Frinavale
9,735 Expert Mod 8TB
Well, when the user clicks the "login" button, you should authenticate the password. If the password is wrong then increment the variable in session that keeps track of the number of times that that the user has provided an invalid password. If an invalid password has been provided incorrectly 5 times, then preform the necessary steps to deactivate the account. (You need to use if-statements to accomplish this).

-Frinny
Jan 7 '10 #4
Would it be possible for you to include some coding for an example please
Jan 7 '10 #5
Frinavale
9,735 Expert Mod 8TB
The $_POST is array of variables passed to the current script via the HTTP POST method. If your submit button was clicked then your submit button will be part of the post.


The isset method determines if a variable is set and is not NULL. If the submit is part of the array of variables passed in to the current script, then it will not be null and you know the user clicked your submit button.

Expand|Select|Wrap|Line Numbers
  1. if (isset($_POST['Submit'])) {
  2.   //In here check if the user has provided the correct password
  3.   //If the user has not provided the correct password:
  4.   //  grab the Session variable for tracking the number of times 
  5.   //  the user has provided an incorrect password and increment the counter
  6.   // If the user has provided an incorrect password more than 5 times then:
  7.   //  do what is necessary to  deactivate the account
  8. }
Jan 7 '10 #6
would this go on the login.php page or loginaction.php page tho?
Jan 7 '10 #7
Frinavale
9,735 Expert Mod 8TB
You never mentioned either of these pages....
What is the purpose of each page?
Are they combined? Do you have more than one submit on the same page?
Jan 7 '10 #8
Sorry my mistake, login.php takes the user details e-mail and password via a input form and then when the button submit is clicked. The data is posted to loginaction.php the code i posted earlier.
Jan 7 '10 #9
Frinavale
9,735 Expert Mod 8TB
Retrieve $i from session instead of setting it to 0.
Before you exit the page be sure to store $i in session so that you can retrieve it next time the page is submitted to check if the user has provided an invalid password more 5 times...
Jan 7 '10 #10
Nope still cant get it to work grr!!
Jan 7 '10 #11
Frinavale
9,735 Expert Mod 8TB
Ok post what you have :)
I'm not really a PhP expert but I think I can still give you a hand.

-Frinny
Jan 7 '10 #12
login.php
Expand|Select|Wrap|Line Numbers
  1. <h2>Login</h2>
  2. <?php 
  3.   // Include the formatted error message
  4.   if (isset($_SESSION['message']))
  5.     echo 
  6.       "<h4>".$_SESSION['message']." and ".$_SESSION['count']. "</h4>";
  7.     // Generate the login <form> layout
  8.     if (isset($_SESSION['message']))
  9.       echo
  10.         "<h4>".$_SESSION['count']. "</h4>";
  11. ?> 
  12. <!-- InstanceEndEditable -->
  13. <div class="preparation">
  14.   <!-- InstanceBeginEditable name="paragraph" -->
  15.  
  16.   <form action="loginaction.php" method="post" name="login" target="_self">
  17.     <table class="tablelogin" >
  18.       <tr>
  19.         <td>
  20.           <label for="email">E-mail Address</label>                                
  21.         </td>
  22.         <td>
  23.           <input type="text" name="email" id="email" />                                
  24.         </td>
  25.       </tr>
  26.       <tr>
  27.         <td>
  28.           <label for="password">Password</label>                                
  29.         </td>
  30.       <td>
  31.         <input type="password" name="password" id="password" />                                
  32.         </td>
  33.       </tr>
  34.       <tr>
  35.         <td>&nbsp;
  36.         </td>
  37.         <td>&nbsp;
  38.         </td>
  39.       </tr>
  40.       <tr>
  41.         <td>
  42.         </td>
  43.         <td>
  44.           <input type="hidden" name="count" id="count" value="1" /> 
  45.           <input type="reset" name="reset" id="reset" value="Clear" />   
  46.           <input type="submit" name="submit" id="submit" value="Log in" />    
  47.         </td>
  48.       </tr>
  49.     </table>
  50.   </form>  
loginaction.php
Expand|Select|Wrap|Line Numbers
  1. <?php
  2.  
  3.     include "dbconnect.php";
  4.     session_start();
  5.        $email =$_POST["email"]; 
  6.        $password =$_POST["password"];
  7.        $password2 = md5("$password"); 
  8.        $activation = 1; 
  9.  
  10.         if ($i < 5) 
  11.         {
  12.             $i=0;
  13.  
  14.  
  15.  
  16.  
  17.  
  18.        if (empty($email) or empty($password)) 
  19.            {
  20.            $_SESSION["message"] = "Must enter your E-mail and Password " ;
  21.            header("Location: login.php"); //This sets the redirection information
  22.             //Ends the script and redirects to above
  23.            } 
  24.  
  25.           $query = "SELECT * FROM clients_details WHERE email = '$email' AND  password = '$password2' AND activation = '$activation' ";
  26.           $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
  27.         // see if any rows were returned 
  28.         if (mysql_num_rows($result) > 0) 
  29.          { 
  30.            $_SESSION["authenticatedUser"] = $email;
  31.              // Relocate to the logged-in page
  32.             header("Location: usercontrol.php");
  33.          } 
  34.         else  
  35.          {
  36.              $_SESSION["count"] = $i + 1 ;
  37.            $_SESSION["message"] = "Could not login as $email " ;
  38.            header("Location: login.php");
  39.  
  40.  
  41.          }
  42.              $_SESSION["count"] = $i + 1 ;
  43.         }
  44.         else {
  45.         $query = " UPDATE clients_details SET activation = '0' WHERE email= '$email' ";
  46.             $_SESSION["message"] = "$email your account has been blocked, please contact the systems administrator! " ;
  47.                header("Location: login.php"); 
  48.              }
  49.  
  50.  
  51.          exit;
  52. ?>
Thats my coding to the point I'm ripping my hair out :p gonna go get a tea and have 5 mins away from the pc. Then have another look at it, hopefully between us we'll figure it out :p
Jan 7 '10 #13
Frinavale
9,735 Expert Mod 8TB
Please post code in [code] tags. It makes things a lot easier.

On line 12 in loginaction.php..shouldn't you be setting $i = $_SESSION['count']?
And, shouldn't this be done before your if statement on line 10?
Jan 7 '10 #14
Yeh I've just made them alterations, the error message now pops up on the on 6th attempt, but it isn't updating the database. Any ideas why?
Jan 7 '10 #15
Frinavale
9,735 Expert Mod 8TB
Well it looks like your SQL query is right but it looks like you aren't actually updating the table? This is probably why.

-Frinny
Jan 7 '10 #16
oh :s can u explain please?
Jan 7 '10 #17
Firgued it out i was missing "mysql_query" from the front of update, thanks so much for your help.
Jan 7 '10 #18

Sign in to post your reply or Sign up for a free account.

Similar topics

3
by: Gary | last post by:
Hi, guys! Some of my applications are sharing same SQL login/password to connect to a database called "MyDB" on server "MyServer" . The password...
3
by: tchangmian | last post by:
I want to limit user login by writing ASP program. In details, if a user had logged in wrongly for more than three times, then the user will not be...
1
by: ad | last post by:
I want the if a user enter invalid password by tree times, the system will hold. How can I limit max Invalid Password Attempts with Login Controls?...
2
by: matias.cornejo | last post by:
I have some users that have 5 or 6 connections with the same login at the same time. I want to limit that each user can have less than 3 connectios...
6
by: Breana | last post by:
How can i limit the number of results to 10 and have a Next >> button appear or << Back on the bottom if there is more than 10 results? Because as...
10
by: Drew | last post by:
I am trying to limit access to certain pages on our intranet, and have been using the following code to do so, dim Login, L, LL, StringLen,...
0
by: parun | last post by:
Hello, is there a possibility to log on to a user whose length is greater than 8 characters. My system is AIX and system base authentication . At...
3
by: =?Utf-8?B?QmlsbHkgWmhhbmc=?= | last post by:
I want to limit the user only login the system one time at the same time. I don't want him login the system two with the same user at the same time....
1
bilibytes
by: bilibytes | last post by:
Hi everyone, I have new questions for tonight. I would like to know the best ways to prevent Denial Of Service Attacks. Well my question is a...
0
by: concettolabs | last post by:
In today's business world, businesses are increasingly turning to PowerApps to develop custom business applications. PowerApps is a powerful tool...
0
by: Kemmylinns12 | last post by:
Blockchain technology has emerged as a transformative force in the business world, offering unprecedented opportunities for innovation and...
0
by: CD Tom | last post by:
This happens in runtime 2013 and 2016. When a report is run and then closed a toolbar shows up and the only way to get it to go away is to right...
0
by: CD Tom | last post by:
This only shows up in access runtime. When a user select a report from my report menu when they close the report they get a menu I've called Add-ins...
0
by: antdb | last post by:
Ⅰ. Advantage of AntDB: hyper-convergence + streaming processing engine In the overall architecture, a new "hyper-convergence" concept was...
0
by: Matthew3360 | last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function. Here is my code. ...
2
by: Matthew3360 | last post by:
Hi, I have a python app that i want to be able to get variables from a php page on my webserver. My python app is on my computer. How would I make it...
0
by: AndyPSV | last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable...
0
by: Arjunsri | last post by:
I have a Redshift database that I need to use as an import data source. I have configured the DSN connection using the server, port, database, and...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.