Failed login attempt limiter

Ask about a PHP problem here.
Post Reply
wrichards8
Posts: 66
Joined: Thu Jan 12, 2012 3:54 pm
Contact:

Failed login attempt limiter

Post by wrichards8 »

I am trying to build a mechanism into my login script which will lock you out of your account for 2 mins if you have so many failed login attempts. This is the code I have
<div id="login-box"><h1>Login Portal</h1>
<?php $user = mysql_real_escape_string(strtolower($_POST["loginuname"]));
$pass = $_POST["loginpass"];
$output =" ";
if ($user&&$pass)
{
	$future = time() + 120;
	$timenow = time();
	$ip_address = $_SERVER['REMOTE_ADDR'];
	$query = mysql_query("SELECT userid, username, password, activated FROM useraccounts WHERE username='$user'");
	$numrows = mysql_num_rows($query);
	if($numrows==0)
	{
		$output = "User '". $user ."' not found";
	}
	else
	{
		while($result = mysql_fetch_assoc($query))
		{
			$storepass = $result["password"];
			$activestat = $result["activated"];
			$userident = $result["userid"];
		}
	}
	$passenc = passcrypt($pass);
	if($passenc==$storepass)
	{
		if($activestat==0)
		{
			$output = "Account is inactive... Click here to <a href='index.php?page=activate'>activate</a> it";
		}
		else
		{
			$accesslog = mysql_query("SELECT accessid, username, timecode, ip_address FROM accesslog WHERE username='$user'");
			$accessrows = mysql_num_rows($accesslog);
			echo mysql_error();
			if($accessrows==0)
			{
				mysql_query("INSERT INTO accesslog (username, timecode, ip_address) VALUES ('$user','$future','$ip_address')");
			}
			else
			{
				while($log = mysql_fetch_assoc($accesslog))
				{
					$address = $log["ip_address"];
					$timecode = $log["timecode"];
					$accessid = $log["accessid"];
				}
				if($timenow < $timecode)
				{
					if($accessid >= 6)
					{
						$output = "You have exceeded the maximum number of login attempts, please try again in 2 minutes";
					}
				}
				if($timenow < $timecode)
				{
					mysql_query("DELETE FROM accesslog WHERE username='$user'");						
					$output = "You have been logged in, click <a href='user' tabindex='1'>here</a> to continue";
					$_SESSION["id"] = $userident;					
				}
			}
		}
	}
	else
	{
		$output = "Incorrect password";
		$invalid = "INSERT INTO accesslog (username, timecode, ip_address) VALUES ('$user','$future','$ip_address') ON DUPLICATE KEY UPDATE accessid= accessid+1, timecode='$future', ip_address='$ip_address'";
		mysql_query($invalid);
	}
}
else
{
	$output = "Username or password not entered";
}
?>
<div id="centered"><?php echo $output; ?><br><br>
<a href="index.php" tabindex="2">Go back home</a>
</div>
</div>
My basic problem is that, even though MySQL will increment every failed login attempt, it won't let you log back in when the 2 mins are up
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Failed login attempt limiter

Post by jacek »

You have done something that really bothers me when I look at people's code !
                                while($log = mysql_fetch_assoc($accesslog))
                                {
                                        $address = $log["ip_address"];
                                        $timecode = $log["timecode"];
                                        $accessid = $log["accessid"];
                                }
Here you use a loop but the query will only ever return one row since usernames have to be unique. You can just do
                                $log = mysql_fetch_assoc($accesslog);
                                        $address = $log["ip_address"];
                                        $timecode = $log["timecode"];
                                        $accessid = $log["accessid"];
which will do the exact same thing.

I think the problem is here
if($timenow < $timecode)
You are checking this same condition for both blocks. One of them should be
if($timenow < $timecode)
or you could just do
if($timenow < $timecode){
    // Cant log in yet
}else{
    // login
}
Image
Post Reply