I'm trying to ban a user from logging in to a site after 3 failed attempts.
Code:
<?php
require 'konek/dbcon.php';
if (isset($_POST['login']))
{
session_start();
//$link = mysqli_connect('localhost', 'root', '','abra') or die("Could not connect database");
if (empty($_POST['uname']) || empty($_POST['passw']))
{
header ('Location: login.php');
die();
}
if (ctype_upper($_POST['uname']) || ctype_upper($_POST['passw']))
{
header ('Location: login.php');
die();
}
$username = mysqli_real_escape_string($con, $_POST['uname']);
$password = mysqli_real_escape_string($con, $_POST['passw']);
//FOR VALIDATION
$result=mysqli_query($con, "SELECT * FROM customers WHERE username= '".$username."' AND password='".$password."'");
$row = mysqli_fetch_assoc($result);
$usertype = 'customer';
$ldate = date('Y-m-d H:i:s');
//SAVE DETAILS FOR LOGS
$sql="INSERT INTO logs (username, utype, logdate) VALUES ('$username', '$usertype', '$ldate')";
$result2 = mysqli_query($con, $sql);
if(mysqli_num_rows($result) != 0 && $result2)
{
session_regenerate_id();
$_SESSION['SES_ID'] = $row['cID'];
$_SESSION['SES_UNAME'] = $row['username'];
session_write_close();
header('location: main/index.php');
die();
}
else
{
if(isset($_COOKIE['login']))
{
if($_COOKIE['login'] < 3)
{
$attempts = $_COOKIE['login'] + 1;
setcookie('login', $attempts, time()+60*10);
header('location: login.php');
die();
}
else
{
echo '<script language="javascript">alert("3 Login attempts failed. Wait for 10 minutes then try again.")</script>';
echo '<script language="javascript">location.replace("index.php");</script>';
}
} else {
setcookie('login', 1, time()+60*10);
}
exit;
}
}
?>
It all works, but there's a problem. If the user logs in with the correct details the 4rth time, they can enter the site (main).
Is there a work-around this so not to allow user to login even with correct details for 10 minutes?