Help! Super beginner :) Deny Access if password is wrong 3 times

Question

weirdCreature7 0 Newbie Poster

12 Years Ago

Please help im a super beginner in php and I am doing this for my homework :) I just want to add a code that will Deny Access if password is wrong 3 times and the code for my alert box which is the Incorrect username and password is not working:( by the way im using xampp mysql for my database :) pls help!

this is login_form_admin.php

<html>
    <body bgcolor="black">
    <center><br><br><br>
    <table><tr><td>
    <div id="flashContent">
            <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="500" height="300" id="Home_Slideshow" align="middle">
                <param name="movie" value="Home_Slideshow.swf" />
                <param name="quality" value="high" />
                <param name="bgcolor" value="#ffffff" />
                <param name="play" value="true" />
                <param name="loop" value="true" />
                <param name="wmode" value="window" />
                <param name="scale" value="showall" />
                <param name="menu" value="true" />
                <param name="devicefont" value="false" />
                <param name="salign" value="" />
                <param name="allowScriptAccess" value="sameDomain" />
                <!--[if !IE]>-->
                <object type="application/x-shockwave-flash" data="Home_Slideshow.swf" width="500" height="300">
                    <param name="movie" value="Home_Slideshow.swf" />
                    <param name="quality" value="high" />
                    <param name="bgcolor" value="#ffffff" />
                    <param name="play" value="true" />
                    <param name="loop" value="true" />
                    <param name="wmode" value="window" />
                    <param name="scale" value="showall" />
                    <param name="menu" value="true" />
                    <param name="devicefont" value="false" />
                    <param name="salign" value="" />
                    <param name="allowScriptAccess" value="sameDomain" />
                <!--<![endif]-->
                    <a href="http://www.adobe.com/go/getflash">
                        <img src="http://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />
                    </a>
                <!--[if !IE]>-->
                </object>
                <!--<![endif]-->
            </object>
    </div></td>

    <td>
    <form action="login_admin.php" method="POST">
        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
        &nbsp&nbsp&nbsp
        <font face = "century gothic" color = "#FFFC17" size = "5"><b>ADMIN - LOG IN</b></font><br/><br/><br/>

        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
        <font face = "century gothic" color = "#FFFC17" size = "3">User Name:</font><br/>
        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
        <input name="user" type="text" placeholder = "Enter User Name" size = "30"><br/><br/>

        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
        <font face = "century gothic" color = "#FFFC17" size = "3">Password:</font><br/>
        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
        <input name="pass" type="password" placeholder = "Enter Password" size = "30"><br/><br/><br/>

        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
        &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
        <input type="submit" value="      Log In      ">
        </form>
    </td></tr>
    </center>
    </table>
    <?php login_form_admin.php ?>
    </body>
</html>


//login_admin.php
<?php echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?".">"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>

<body>
<?php 
$host = "localhost"; //DB host 
$username = "root";  //DB Username 
$password = ""; //DB Password 
$db_name = "admin"; //DB Name 
$tbl_name = "tbl_user"; //Table name, where users are stored 

mysql_connect("$host", "$username", "$password")or die("cannot connect"); //Connect to DB 
mysql_select_db("$db_name")or die("cannot select DB"); //Select DB 

$username = $_POST['user']; //Get username from login form 
$password = $_POST['pass']; //Get password from login form 

$username = stripslashes($username); //Makes string safe 
$password = stripslashes($password); //Makes string safe 
$username = mysql_real_escape_string($username); //Makes string safer 
$password = mysql_real_escape_string($password); //Makes string safer 

$sql = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; //SQL Query 
$result = mysql_query($sql); //Executes Query 

$rows = mysql_num_rows($result); //Count rows selected (1 if a username/password combo can be found) 

if($rows == 1){ 
session_start(); //Starts a PHP session 
$_SESSION['username'] = $username; 

$query  = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; 
$result = mysql_query($query); 
while($row = mysql_fetch_array($result, MYSQL_ASSOC)) 

$_SESSION['authenticated'] = 1; //Allows $id to be used later 

header("location: homebody_admin.php");
} 
else  
{ 

print '<script type="text/javascript">'; 
print 'alert("Invalid Username and Password!")'; 
print '</script>';

header("location: login_form_admin.php?msg=$msg");
} 
?> 

</body>
</html>

php

3 Contributors
2 Replies
298 Views
23 Hours Discussion Span
Latest Post 12 Years Ago Latest Post by devianleong

diafol

12 Years Ago

A word of advice on this - malicious users can use this feature to block innocent users. Perhaps a 15 minute block or something may be better? We had this issue on our phpBB forum a while ago as part of a sustained DoS attack. You could re-enable the account with a security question or something similar?

So for example a two columns in your user table for 'Attempts' and 'Denial' set to a unix_timestamp, which translates to 15 mins since third incorrect attempt. Both fields cleared on successful login or successful security question answer.

Anyway, I'm just rambling now. Permanent denial may cause real problems if you have (a) malicious user(s).

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

devianleong 0 Newbie Poster · Answer 1 · 2012-07-29T09:21:54+00:00

Ok. You can create 2 attributes which is access and denied in $tbl_access database.

This is the idea how to implement the function(My own idea. Guide me back if I'm wrong).

1)determine the user IP address.
2)Insert the record for the IP in tbl_access EVERYTIME user enter to the website.
3)check the user IP in the database,if IP has found in $tbl_access :

if(access < 3){
//your validation code here
if login success,delete the IP in tbl_access
else login failed, UPDATE $tbl_access SET access +1 WHERE IP = the IP.
}else{
mysql_query("UPDATE $tbl_access SET denied = CURDATE(),INTERVAL 15 MINUTE") or die(mysql_error);
}