|
PHP - For Login Attempts Check, Should I Do It By Ip+username, Just Ip...?
I want to limit the number of incorrect login attempts within a specified time period (e.g. 15 minutes). I'm wondering what I should tie those attempts to.
e.g. If too many attempts from one ip address for a specific username, lock them out for 15 minutes? Or too many attempts from any ip address for a specific username? Or too many attempts for an ip address matched loosely (i.e. 255.255.255.0 matching) with a specific username? What's the best choice? Just too many attempts for a username? Or also use the ip address? And should I store the attempts in the session, or the DB? Similar Tutorialshope you all had a good Christmas/New Year. I've got a somewhat simple problem I think.. I'm working on a uni practical, and one of the checkpoints is to limit the number of incorrect login attempts to 2. I know I could do this very easily with session variables, however on the practical sheet, it says that we're not allowed to modify any of the partially implemented code. So I was wondering, what other ways are there to track the number of incorrect logins? If it comes to it, I will just use session variables, as it's pretty much the most sensible way I'd imagine.. but would like to know of any other possible ways.. Cheers Denno How to add the ability to login with username or email for login?
<?php
ob_start();
include('../header.php');
include_once("../db_connect.php");
session_start();
if(isset($_SESSION['user_id'])!="") {
header("Location: ../dashboard");
}
if (isset($_POST['login'])) {
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$result = mysqli_query($conn, "SELECT * FROM users WHERE email = '" . $email. "' and pass = '" . md5($password). "'");
if ($row = mysqli_fetch_array($result)) {
$_SESSION['user_id'] = $row['uid'];
$_SESSION['user_name'] = $row['user'];
$_SESSION['user_email'] = $row['email'];
header("Location: ../dashboard");
} else {
$error_message = "Incorrect Email or Password!!!";
}
}
?>
I have created a simple login system but need help getting the username after login is successfull. The login page <?php session_start(); require_once 'classes/Membership.php'; $membership = new Membership(); // If the user clicks the "Log Out" link on the index page. if(isset($_GET['status']) && $_GET['status'] == 'loggedout') { $membership->log_User_Out(); } // Did the user enter a password/username and click submit? if($_POST && !empty($_POST['username']) && !empty($_POST['pwd'])) { $response = $membership->validate_User($_POST['username'], $_POST['pwd']); } ?> <div id="login"> <form method="post" action=""> <table width="200" border="0" align="center"> <tr> <th scope="col">Username:</th> <th scope="col"><input type="text" name="username" /></th> </tr> <tr> <td>Password:</td> <td><input type="password" name="pwd" /></td> </tr> <tr> <td colspan="2"><input type="submit" id="submit" value="Login" name="submit" /></td> </tr> </table> <p> </p> <p> <?php if(isset($response)) echo "<h4 class='alert'>" . $response . "</h4>"; ?> </p> </form> </div> Membership.php file <?php require 'Mysql.php'; class Membership { function validate_user($un, $pwd) { $mysql = New Mysql(); $ensure_credentials = $mysql->verify_Username_and_Pass($un, md5($pwd)); if($ensure_credentials) { $_SESSION['status'] = 'authorized'; header("location: myaccount.php"); } else return "Please enter a correct username and password"; } function log_User_Out() { if(isset($_SESSION['status'])) { unset($_SESSION['status']); if(isset($_COOKIE[session_name()])) setcookie(session_name(), '', time() - 1000); session_destroy(); } } function confirm_Member() { session_start(); if($_SESSION['status'] !='authorized') header("location: login.php"); } } myaccount page <?php require_once 'classes/Membership.php'; $membership = New Membership(); $membership->confirm_Member(); ?> <p>Welcome <?= $_SESSION['status'] ?></p is it possible to check a username or email address against a mysql database as the user types it in or when he changes to the next required input field, and if it is not already taken to place a symbol next to the username to show that it is either available or not. I am still quite new to php. Thanks Hi all, i have a script which checks the username field of my register form as the user types it and checks to see if the username is either taken, is too short or availible using jquery, however it isn't working and i've been staring at it for ages trying to work out why. Due to the length of my code ive put it on codepad. Here is my register.php: http://codepad.org/8REOfI8q and here is my check.php: http://codepad.org/gXSkbnsf My form is just displaying "Choose a username" and not changing depending on my input etc... Any help would be great Hey all, In my user registration system I'm trying to figure something out. When the user puts in his information and hits submit it goes into a temporary user table while it waits for the user to click on the activation code in the email that is sent out. Once they click on it it's then transferred into the user table. Now, I have a few questions: 1. Should the user check on the registration screen check both tables for a username match? What if someone starts a registration but never activates it. That username, though not in use, is now taken up in the tempuser table. 2. Should the information in the temporary table be cleared after it is moved into the regular table? Thanks guys! I'm working with a registration/login system from a tutorial. It's got email validation to make sure it does not exist but I'm struggling to add the same to the username field: Working code: Code: [Select] <?php include ('database_connection.php'); if (isset($_POST['formsubmitted'])) { $error = array();//Declare An Array to store any error message if (empty($_POST['name'])) {//if no name has been supplied $error[] = 'Please Enter a name ';//add to array "error" } else { $name = $_POST['name'];//else assign it a variable } if (empty($_POST['e-mail'])) { $error[] = 'Please Enter your Email '; } else { if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) { //regular expression for email validation $Email = $_POST['e-mail']; } else { $error[] = 'Your EMail Address is invalid '; } } if (empty($_POST['Password'])) { $error[] = 'Please Enter Your Password '; } else { $Password = $_POST['Password']; } if (empty($error)) //send to Database if there's no error ' { // If everything's OK... // Make sure the email address is available: $query_verify_email = "SELECT * FROM members WHERE Email ='$Email'"; $result_verify_email = mysqli_query($dbc, $query_verify_email); if (!$result_verify_email) {//if the Query Failed ,similar to if($result_verify_email==false) echo ' Database Error Occured '; } if (mysqli_num_rows($result_verify_email) == 0) { // IF no previous user is using this email . // Create a unique activation code: $activation = md5(uniqid(rand(), true)); $query_insert_user = "INSERT INTO `members` ( `Username`, `Email`, `Password`, `Activation`) VALUES ( '$name', '$Email', '$Password', '$activation')"; $result_insert_user = mysqli_query($dbc, $query_insert_user); if (!$result_insert_user) { echo 'Query Failed '; } if (mysqli_affected_rows($dbc) == 1) { //If the Insert Query was successfull. // Send the email: $message = " To activate your account, please click on this link:\n\n"; $message .= WEBSITE_URL . '/activate.php?email=' . urlencode($Email) . "&key=$activation"; mail($Email, 'Registration Confirmation', $message, 'From: Admin@TheGameCo.Com'); // Flush the buffered output. // Finish the page: echo '<div class="success">Thank you for registering! A confirmation email has been sent to '.$Email.' Please click on the Activation Link to Activate your account </div>'; } else { // If it did not run OK. echo '<div class="errormsgbox">You could not be registered due to a system error. We apologize for any inconvenience.</div>'; } } else { // The email address is not available. echo '<div class="errormsgbox" >That email address has already been registered. </div>'; } } else {//If the "error" array contains error msg , display them echo '<div class="errormsgbox"> <ol>'; foreach ($error as $key => $values) { echo ' <li>'.$values.'</li>'; } echo '</ol></div>'; } mysqli_close($dbc);//Close the DB Connection } // End of the main Submit conditional. ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Game Name - Home</title> <link rel="stylesheet" type="text/css" href="style.css" /> </head> <body> <div id="container"> <div id="header"> <?php include("includes/header.php"); ?> </div> <div id="nav"> <?php include("includes/nav.php"); ?> </div> <div id="content"> <form action="index.php" method="post" class="registration_form"> <fieldset> <legend>Registration Form</legend> <p>Create A new Account<br />Already a member? <a href="login.php">Log in</a></p> <div class="elements"> <label for="name">Username:</label> <input type="text" id="name" name="name" size="25" /> </div> <div class="elements"> <label for="e-mail">E-mail:</label> <input type="text" id="e-mail" name="e-mail" size="25" /> </div> <div class="elements"> <label for="Password">Password:</label> <input type="password" id="Password" name="Password" size="25" /> </div> <div class="submit"> <input type="hidden" name="formsubmitted" value="TRUE" /> <input type="submit" value="Register" /> </div> </fieldset> </form> </div> <div id="footer"> <?php include("includes/footer.php"); ?> </div> </div> </body> </html> I've tried adding this after the email verification: Code: [Select] // Make sure the user is available: $query_verify_user = "SELECT * FROM members WHERE Username ='$name'"; $result_verify_user = mysqli_query($dbc, $query_verify_user); if (!$result_verify_user) { echo ' Database Error Occured '; } } if (mysqli_num_rows($result_verify_user) == 0) { // IF no previous user is using this user . But that just returns me with: It works to stop username/email duplication but now returns: Query Failed You could not be registered due to a system error. We apologize for any inconvenience. Not sure where I'm going wrong tbh. I had this working at some point, but must have changed the code or messed up the login. Anyway the check no longer works to see if a username exist in the database and if it does, display an error. Right now I am just getting the generic error . "Duplicate entry 'SamJ' for key 'usr'". <? // session_start(); //Print_r ($_SESSION); include('config.php'); // Passkey t from link $passkey=$_GET['passkey']; $tbl_name1="Profile_temp"; // Retrieve data from table where row matches passkey $sql1="SELECT * FROM $tbl_name1 WHERE confirm_code ='$passkey'"; $result1=mysql_query($sql1); // If successfully queried if($result1){ // Count how many row has this passkey $count=mysql_num_rows($result1); // if passkey is found retrieve info from temporary DB if($count==1){ $rows=mysql_fetch_array($result1); $FirstName=$rows['FirstName']; $LastName=$rows['LastName']; $UserName=$rows['UserName']; $Password= md5($rows['Password']); $Password2=md5($rows['Password2']); $email=$rows['email']; $Zip=$rows['Zip']; $Birthday=$rows['Birthday']; $Security=$rows['Security']; $Security2=$rows['Security2']; $tbl_name2="Profile"; // Insert data that retrieves from "temp_members_db" into table "registered_members" $sql2="INSERT INTO $tbl_name2(`FirstName`,`LastName`,`Username`,`Password`,`Password2`,`email`,`Zip`,`Birthday`,`Security`,`Security2`) VALUES ('$FirstName','$LastName','$UserName','$Password','$Password2','$email','$Zip','$Birthday','$Security','$Security2')"; //echo $sql2; $result2=mysql_query($sql2) or die(mysql_error()); } // if passkey is not found, display message "Wrong Confirmation code" else { echo "<h2>Sorry, Your passkey was not found.</h2>"; } $sql3="select * from $tbl_name2 where username = '$UserName'"; $result3=mysql_query($sql3) or die(mysql_error()); if ($_REQUEST['error'] == 1){ echo "Sorry, that user name already exist!"; } } else { } while ($row = mysql_fetch_assoc($result3)) { $_SESSION['id'] = $row['id']; $_SESSION['FirstName']=$row['FirstName']; } // if successfully moved data from table"temp_members_db" to table "registered_members" displays message "Your account has been activated" and don't forget to delete confirmation code from table "temp_members_db" if($result2){ echo "<h3>Welcome {$_SESSION['FirstName']} </h3>"; echo "<h2>Your account has been activated</h2>"; echo"<p>You may now upload a profile picture</p>"; //file upload echo " <form enctype='multipart/form-data' action='Profile.php' method='POST'> <fieldset> <legend>Upload your profile picture</legend> <ol> <li id='example3'> <label for='FileUpload'>Choose a file to upload:</label> <input name='myfile' id='FileUpload' type='file' /> <input type='submit' name='submit' value='Upload File' /> </li> </ol> </fieldset> </form> "; } } if($result3){ // Delete information of this user from table "temp_members_db" that has this passkey $sql4="DELETE FROM $tbl_name1 WHERE confirm_code = '$passkey'"; $result4=mysql_query($sql4) or die(mysql_error()); ?> can anyone see what is wrong? Ok so I'm still having problems. This is what I need: I want a function to echo a message if a username does not pass my requirments. - Only letters and / or numbers - Must start with a letter (not a number) - No spaces The current code is not working for me. Please help Code: [Select] }else if (!(eregi('/[A-Za-z0-9-]+',($_POST["username"])))){ echo "<p> </p><p> </p><p> </p><br />Must only contain numbers and letters and cannot exceed 10 characters.<p> </p><p> </p><a href='javascript:javascript:history.go(-1)'>Click here to go back to previous page</a>"; Hi all,
I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login.
Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat?
Thanks all.
Hi guys, <----- new to this forum and coding for that matter! I have a question. I have been asking around and reading up about how to make a forum with my current tools (dreamweaver/mysql/mysqlyog) for my website, and 90% of the time the answer i get is "if your asking the question, dont bother..... use mybb or some other premade forum" Which is fine, i dont mind! But know i have an issue. To get access to my website you are requierd to login before you can do anything, after login your able to use the whole site. But now if i use one of these ready made forums such as mybb or whatever users are required to make ANOTHER registration and login aswell! and me no likes this! So my question is, is there a way to make it so the forum runs off the same login used for my website? TIA Gromit Hello Im making a secure php login system and ideally wanted to also md5 hash the username as well as the password. My reasons for doing this is to completey stop sql injections as i can combine the md5 hash with salt for the $_POST['username']. Now my problem is i need to be able to de-hash (if this is a word) the username for admin purposes of the business. For password reset i will just send a new password. Is there anyway that i can do this easily whilst keeping my username secure and stop sql injection for username? Hello all; I have a client that has a members area. He asked me to password protect it, which I did simply by assigning one static password. Now he wants a full username/login system where the member can set their own password, which I have never done before. I assume I'd just set up a Table with three fields, (one for name, one for password, one for the type of access they have) then check against it for access, but experience has taught me that whenever something seems simple, it's actually very complex. Do any of you know of any good premade templates for this kind of thing? Ideally it'd be session-based (obviously). I found one system he http://frozenade.wordpress.com/2007/11/24/how-to-create-login-page-in-php-and-mysql-with-session/ but it's several years old, and the misspellings in the comments tend to scare me away a bit. Thanks for any help you might be able to provide. Hi guys Can someone help me about this: The php code can be revise username and password with CURL then check database and if username & password is correct return true else false. Thanks Is there a way to get current logged in username and based on that redirect to a different page? I’m using the following secure PHP login without MySql as a login system: https://sourceforge.net/projects/phploginbyvallastech/ Now I’m looking to redirect each logged in user to their personalized page. But I can’t figure out how to A) fetch the current logged in user and B) redirect multiple users. This code redirects to the latter address, but the username based redirect is not working: <?php session_start(); if ($_SESSION["username"]==User1){ header("location: user1content.php"); exit; } else { header("location: generalcontent.php"); exit; } { ?> <?php } ?>
So it’s clearly not fetching the logged in user. Though <?php echo $login->username; ?> fetches the username just fine. Alright, I've been assigned a project at work. I did not develop the application and the individual who did used CodeIgnited framework and mysql as the db.
Here's the problem, I'm not given much OT to do this and in our meeting the best way to proceed was to replicate the database for different parts of the organization. Basically we are a subsidiary and have been using an application that other groups within the organization want to use. Usually I would reconfigure the db schema and add org ids and in the user table add the appropriate organization to go to. However, they are not giving me enough time to do that.
So what I'm thinking is to just create a copy of the database we use (just the structure) and create a new database.
What I want to know is how to use mysql to check to see if a user exists in one database and if they don't then to go on to the next database. I understand this is a very sloppy way to do it, but it's the way we are moving forward.
I found the code to connect to the db in CodeIgnitor... how can I connect to a database, check to see if the user exists, then close that db connection and try the next database?
/**
* Select the database
*
* @access private called by the base class
* @return resource
*/
function db_select()
{
return @mysql_select_db($this->database, $this->conn_id);
}
Thanks in advance.
So basically my project is one where the user can log onto my website, and the page then checks if the ID and password are in my table in my microsoft access file. If the username and password are the same, the user continues, if it isnt, then it stays on the same page and says something like "username and/or password are incorrect" or something along the lines of that. the problem is right now im not sure how to make it say "ERROR username and/or password is incorrect" if the username and password dont match. Can someone help me with this? and also make sure if the username and password are correct that it goes to the next page, entitled searchpage.php here is the code Code: [Select] <html> <head> <style type="text/css"> </style> </head> <body style="text-align:center"> <div id='title'> </div> <?php print_r ($_POST) ; if if (isset($_POST['Login'])) { if(isset($_POST['username'])){ $username= $_POST['username'] ; } if(isset($_POST['password'])){ $TABLE= $_POST['password'] ; } $username = null ; $password = null ; $connection = odbc_connect('Olympics', '', ''); if (!$connection) {exit("Conection Failed: " . $connection);} $username = stripslashes($username); $password = stripslashes($password); $sql = "select * from users where users = '$username' and passwords = '$password'"; $rs=odbc_exec($connection,$sql); $count=odbc_num_rows($rs); if ($count == 1) { $_SESSION['loggedIn'] = "true"; header("Location: searchpage.php"); } else { $_SESSION['loggedIn'] = "false"; header("Location: index.php"); echo "Login failed" ; } } echo "<form action='index.php' method='post'> \n" ; echo" Please enter your username and password if you wish. <br/> \n" ; echo "Username: <input type='text' name='username' > \n " ; echo "Password: <input type='password' name='password' > \n" ; echo "<input type='submit' value='Login' name='Login'> <br/> \n" ; echo "<input type='submit' value='You may also continue you as a guest.'> \n" ; echo "</form>" ; ?> </body> </html> This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=318572.0 |
|||||||