问题
good day i have a problem with creating login attempts that will block an existing account from logging in if the user input incorrect details for 5 attempts i have an ajax and a database for it
i tried making a catch for attempts that has a value of 0. then every fail it gives + 1 but it won't add more than ones because i think the ajax command refreshes it again so the attempts recieves 1 loop only.
the login part is working but i can't make the attempts work and do you have any idea how to block the user if attempts is greater than 5 for 15 mins i have search a code for it but it's last used in 2007 so some of the code can't be read by php
here's my ajax code:
on the login page here's the ajax code:
> <script type="text/javascript"> function validLogin(){
> var uname=$('#uname').val();
> var password=$('#password').val(); var attempts=0;
>
> var dataString = 'uname='+ uname + '&password='+ password;
> $("#flash").show();
> $("#flash").fadeIn(400).html('<img src="images/loading.gif" />');
> $.ajax({
> type: "POST",
> url: "login_processed.php",
> data: dataString,
> cache: false,
> success: function(result){
> var result=trim(result);
> $("#flash").hide();
> if(result=='correct0'){
> window.location='user_home.php';
> }
> else if(result=='correct1'){
> window.location='admin_home.php';
> }else{
> $("#errorMessage").html(result);
> $attempts++;
> }
>
> }
> }); } function trim(str){
> var str=str.replace(/^\s+|\s+$/,'');
> return str; } </script>
and here's the login_process.php code for processing of login where it catch the results and errors.
> $message=array(); $attempts=0; if(isset($_POST['uname']) &&
> !empty($_POST['uname'])){
> $uname=mysql_real_escape_string($_POST['uname']); }else{
> $message[]='Please enter username'; }
>
> if(isset($_POST['password']) && !empty($_POST['password'])){
> $password=mysql_real_escape_string($_POST['password']); }else{
> $message[]='Please enter password'; }
>
> $countError=count($message);
>
> if($countError > 0){
> $attempts++; echo $attempts; for($i=0;$i<$countError;$i++){
> echo ucwords($message[$i]).'</br>';
>
> }
>
> }
>
>
> else{
> $query="select * from user where uname='$uname' and BINARY password='$password'";
>
> $res=mysql_query($query);
> $checkUser=mysql_num_rows($res); $row = mysql_fetch_assoc($res);
> if($checkUser > 0){
> $_SESSION['LOGIN_STATUS']=true;
> $_SESSION['UNAME']=$uname;
> echo 'correct'.$row['type'];
> }else{
> echo ucwords('Incorrect Username or Password');
>
> } }
any help would be really appreciated. and can you teach me for the login attempts blocking the user because if i block the ip of a user that have wrong attempts it can affect widely the place where a person login for example a computer shop. :D thanks
回答1:
1.You should create a DB table called attempts or something like it. then put your user ids from the user table you have already in it.
Then every time someone tries to login have the code retrieve the number of current attempts and add 1 to it then update to the table.
Then write a statement that if the attempts for a single account are greater than 5 display a message that tells the user they can't login.
Use a session variable to set the timeout and lockout functionality.
like this
session_start();
$attempts = "your MySQL result from the attempts table";
if($attempts < 5){
//normal login with error message
$next_attempts = $attempts++;
//code to write $new_attempts to attempts table
//set the start of the lockout timer
if($attempts == 4){
$_SESSION('timeout') = time();
}
}
//LOCKED OUT CODE
else{
echo "sorry you have to wait 15 min to log in again";
//Check elapsed time
//10 minute timeout
if ($_SESSION['timeout'] + 10 * 60 < time()) {
$attempts = 0;
//code to write $attempts to table attempts
session_destroy()
}
}
来源:https://stackoverflow.com/questions/18191685/limited-attempts-for-login-and-block-a-users-account-for-a-specific-amout-of-tim