-2

How to block the user after 3 login attempts and store it to database? I already add two columns in user table, one for number of login attempts and second, for datetime of last login. Please help me, how to do this. I'm not good in PHP.

Thanks

Here's my login.php

session_start();
$ipaddress = '';
if (getenv('HTTP_CLIENT_IP'))
    $ipaddress = getenv('HTTP_CLIENT_IP');
else if(getenv('HTTP_X_FORWARDED_FOR'))
    $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
else if(getenv('HTTP_X_FORWARDED'))
    $ipaddress = getenv('HTTP_X_FORWARDED');
else if(getenv('HTTP_FORWARDED_FOR'))
    $ipaddress = getenv('HTTP_FORWARDED_FOR');
else if(getenv('HTTP_FORWARDED'))
    $ipaddress = getenv('HTTP_FORWARDED');
else if(getenv('REMOTE_ADDR'))
    $ipaddress = getenv('REMOTE_ADDR');
else
    $ipaddress = 'UNKNOWN';

$loginDate = date("Y-m-d H:i:s");
$Error ="";
$successMessage ="";
if (isset($_POST['submit'])){
if ( !( $_POST['cnumber'] == "" && $_POST['password'] == "")){
    $cnumber=$_POST['cnumber'];
    $password= sha1($_POST['password']);
    $cnumber = filter_var($cnumber, FILTER_SANITIZE_NUMBER_INT);

if (filter_var($cnumber, FILTER_VALIDATE_INT)){
$con=mysqli_connect("localhost","root","","users");

$result = mysqli_query($con, "SELECT * FROM users WHERE contractNumber='$cnumber' AND password='$password'");
$data = mysqli_num_rows($result);

if($data==1){
    $_SESSION['login_user']=$cnumber;
    mysqli_query($con, "INSERT INTO `users`.`logs`(`contractNumber`, `lastLogin`, `ipAddress`) VALUES ('$cnumber', '$loginDate', '$ipaddress')");
    header('Location: profile.php');
} else {
    $Error ="Invalid Contract Number or Password.";
    mysqli_query($con, "UPDATE users SET loginAttempt = loginAttempt + 1 WHERE contractNumber = '$cnumber' ");
    print_r(mysqli_affected_rows($con));
} 
    mysqli_close($con);
} else {
    $Error ="Invalid Contract Number.";
 }
} else {
    $Error ="Contract Number or Password is Empty.";
}
}
Dharman
  • 30,962
  • 25
  • 85
  • 135
User014019
  • 1,215
  • 8
  • 34
  • 66
  • 3
    Store the number of login attempts in a session. After that value is passed don't display the login form anymore... Alternative/additionally, once session exceeds limit unverify their account in the DB and require them to contact an admin for access. – chris85 Jun 11 '15 at 02:25
  • @chris85 how to do this? i'm not good in php. can you help me with this? – User014019 Jun 11 '15 at 02:34
  • 2
    Don't store the # of attempts in a session. Then a bot can just ignore the session cookies and keep trying without being blocked. Either store the failed login attempts in a database by IP address or contact number (depending on whether you'd like to lock the account out or the IP address). – drew010 Jun 11 '15 at 03:05
  • @drew010 i don't how to do that. can you help me? pls – User014019 Jun 11 '15 at 03:13
  • @drew010's idea is the better route to go. Here's an older thread on it, http://webcheatsheet.com/php/blocking_system_access.php. Don't use the `mysql_` functions they are using there keep using your `mysqli_`. – chris85 Jun 11 '15 at 03:27
  • @chris85 there's other simple way how to do that? – User014019 Jun 11 '15 at 03:36
  • There are plenty of ways to do this. Google `maximum login attempt limitations php`. You could even do it with a hidden input field, I don't recommend that but you could.., – chris85 Jun 11 '15 at 03:48

3 Answers3

4

Don't use cookies as the hacker can still disable cookies and continue brute force attacks. Use your database instead. For every failed attempt, log it into the table, together with a time stamp. Then on each request, do a query with the user ID and time stamp, then get the count. That should give you the number of times tried.

Rotimi
  • 4,783
  • 4
  • 18
  • 27
-1

A similar Q&A can be found in this thread: Increment a database field by 1

The login attempts should actually be stored separately from the user table. You can block login attempts by storing the number of attempts client side (putting the number of attempts in a cookie) or by storing the IP of the user trying to log in with the number of attempts server side (in your sql database); incrementing the number of attempts per each failed login. The cookie method has a drawback of being easily circumvented by an attacker. The IP address method is more difficult to circumvent but has a drawback of blocking people sharing the same IP. I would use a little bit of both methods; applying rules like 3 attempts for the cookie and 15 attempts for the IP address/attempts table.

IP address variable: $_SERVER["REMOTE_ADDR"];
Getting cookies: $_COOKIE["cookie_name"];
Setting cookies: setcookie("cookie_name", "value", time()+$seconds);

Basic implementation of the cookie method:

// before login attempt:
$attempt_count = intval(@$_COOKIE["login_count"]); 
if($attempt_count > 3){
   die("Too many attempts");
}

_

// on failed login attempt:
setcookie("login_count", $login_count+1, time()+600);
// cookie set to expire at (now+600 seconds); 10 minutes

http://php.net/manual/en/function.setcookie.php

Community
  • 1
  • 1
shygoo
  • 407
  • 4
  • 4
-1

First when the user tries with incorrect password you have to increment login attempt field by one. Then check the login attempt count equals to 3 or not. if it is 3 means then block the user by changing their status

    $result = mysqli_query($con, "SELECT * FROM Users WHERE contractNumber='$cnumber' AND password='$password'");
    $data = mysqli_num_rows($result);
    if($data==1)
    {
          $_SESSION['login_user']=$cnumber; // Initializing Session
          header('Location: profile.php');
    } 
    else
    {
          mysqli_query($con, "UPDATE tablename login_attempts = login_attempts+1 WHERE contarct_number = ". $cnumber");
          /*Select query login attempts and check the count*/


    }
Sivabalan
  • 971
  • 2
  • 18
  • 43