<div id="login-box"><h1>Login Portal</h1>
<?php $user = mysql_real_escape_string(strtolower($_POST["loginuname"]));
$pass = $_POST["loginpass"];
$output =" ";
if ($user&&$pass)
{
$future = time() + 120;
$timenow = time();
$ip_address = $_SERVER['REMOTE_ADDR'];
$query = mysql_query("SELECT userid, username, password, activated FROM useraccounts WHERE username='$user'");
$numrows = mysql_num_rows($query);
if($numrows==0)
{
$output = "User '". $user ."' not found";
}
else
{
while($result = mysql_fetch_assoc($query))
{
$storepass = $result["password"];
$activestat = $result["activated"];
$userident = $result["userid"];
}
}
$passenc = passcrypt($pass);
if($passenc==$storepass)
{
if($activestat==0)
{
$output = "Account is inactive... Click here to <a href='index.php?page=activate'>activate</a> it";
}
else
{
$accesslog = mysql_query("SELECT accessid, username, timecode, ip_address FROM accesslog WHERE username='$user'");
$accessrows = mysql_num_rows($accesslog);
echo mysql_error();
if($accessrows==0)
{
mysql_query("INSERT INTO accesslog (username, timecode, ip_address) VALUES ('$user','$future','$ip_address')");
}
else
{
while($log = mysql_fetch_assoc($accesslog))
{
$address = $log["ip_address"];
$timecode = $log["timecode"];
$accessid = $log["accessid"];
}
if($timenow < $timecode)
{
if($accessid >= 6)
{
$output = "You have exceeded the maximum number of login attempts, please try again in 2 minutes";
}
}
if($timenow < $timecode)
{
mysql_query("DELETE FROM accesslog WHERE username='$user'");
$output = "You have been logged in, click <a href='user' tabindex='1'>here</a> to continue";
$_SESSION["id"] = $userident;
}
}
}
}
else
{
$output = "Incorrect password";
$invalid = "INSERT INTO accesslog (username, timecode, ip_address) VALUES ('$user','$future','$ip_address') ON DUPLICATE KEY UPDATE accessid= accessid+1, timecode='$future', ip_address='$ip_address'";
mysql_query($invalid);
}
}
else
{
$output = "Username or password not entered";
}
?>
<div id="centered"><?php echo $output; ?><br><br>
<a href="index.php" tabindex="2">Go back home</a>
</div>
</div>My basic problem is that, even though MySQL will increment every failed login attempt, it won't let you log back in when the 2 mins are upFailed login attempt limiter
-
wrichards8
- Posts: 66
- Joined: Thu Jan 12, 2012 3:54 pm
- Contact:
Failed login attempt limiter
I am trying to build a mechanism into my login script which will lock you out of your account for 2 mins if you have so many failed login attempts. This is the code I have
Re: Failed login attempt limiter
You have done something that really bothers me when I look at people's code !
I think the problem is here
while($log = mysql_fetch_assoc($accesslog))
{
$address = $log["ip_address"];
$timecode = $log["timecode"];
$accessid = $log["accessid"];
}
Here you use a loop but the query will only ever return one row since usernames have to be unique. You can just do $log = mysql_fetch_assoc($accesslog);
$address = $log["ip_address"];
$timecode = $log["timecode"];
$accessid = $log["accessid"];
which will do the exact same thing.I think the problem is here
if($timenow < $timecode)You are checking this same condition for both blocks. One of them should be
if($timenow < $timecode)or you could just do
if($timenow < $timecode){
// Cant log in yet
}else{
// login
}