I'm trying to ban a user from logging in to a site after 3 failed attempts.

Code:

<?php

require 'konek/dbcon.php';

if (isset($_POST['login'])) 
 {
    session_start();

    //$link = mysqli_connect('localhost', 'root', '','abra') or die("Could not connect database");
    if (empty($_POST['uname']) || empty($_POST['passw']))
        {
            header ('Location: login.php');
            die();
        }

    if (ctype_upper($_POST['uname']) || ctype_upper($_POST['passw']))
        {
            header ('Location: login.php');
            die();
        }

    $username = mysqli_real_escape_string($con, $_POST['uname']);
    $password = mysqli_real_escape_string($con, $_POST['passw']);

    //FOR VALIDATION
    $result=mysqli_query($con, "SELECT * FROM customers WHERE username= '".$username."' AND password='".$password."'");
    $row = mysqli_fetch_assoc($result);

    $usertype = 'customer';
    $ldate = date('Y-m-d H:i:s');

    //SAVE DETAILS FOR LOGS
    $sql="INSERT INTO logs (username, utype, logdate) VALUES ('$username', '$usertype', '$ldate')";
    $result2 = mysqli_query($con, $sql);


        if(mysqli_num_rows($result) != 0 && $result2) 
        {
            session_regenerate_id();
            $_SESSION['SES_ID'] = $row['cID'];
            $_SESSION['SES_UNAME'] = $row['username'];
            session_write_close();
            header('location: main/index.php');
            die();
        }
        else 
        {
            if(isset($_COOKIE['login']))
                    {
                        if($_COOKIE['login'] < 3)
                            {
                                $attempts = $_COOKIE['login'] + 1;
                                setcookie('login', $attempts, time()+60*10);
                                header('location: login.php');
                                die();
                            } 
                        else
                        {
                            echo '<script language="javascript">alert("3 Login attempts failed. Wait for 10 minutes then try again.")</script>';
                            echo '<script language="javascript">location.replace("index.php");</script>';
                        }
                    } else {
                        setcookie('login', 1, time()+60*10);
                    }
                    exit;


        }
    }
?>

It all works, but there's a problem. If the user logs in with the correct details the 4rth time, they can enter the site (main).
Is there a work-around this so not to allow user to login even with correct details for 10 minutes?

To make this work properly you'd have to include the lock-out function in server code otherwise the 10 minute stand down only applies to the device her was on at the time. As you have it now, lock him out of his tablet and he can log in on his phone.
You would need to add a field to database table that held the time until the lockout expired. Any attempts to log in check that as well as the user name/password and fail if server time is less than lock out time.
You can then do things like disabling the log in button but you'd need to be careful about how the page would know to activate it again.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.