|
PHP - Not Clearing Locked Out User
For some reason if the user has the user has 5 failed attempts at logging in and then they have to wait 10 minutes to try again well if they are able to login successfully its supposed to clear the locked out user and for some reason its not. Anyone see why it isn't?
Code: [Select] <?php // User is registered and verified $query = "SELECT * FROM users_logins_attempts WHERE users_id = '".$users_id."'"; $result = mysqli_query($dbc,$query); $row = mysqli_fetch_array($result); $lock_date = $row['lock_date']; // Find out if user is locked out of their account if (($lock_date != "0000-00-00 00:00:00") && strtotime($lock_date) >= time()) { $locked = "yes"; // Account locked error $errors = true; $message = "Account is locked! Please try again later!"; $output = array('errorsExist' => $errors, 'message' => $message); } else { $locked = "no"; // Clear the lock $query = "UPDATE users_logins_attempts SET lockDate = NULL, ip_address = NULL, failed_logins = 0 WHERE users_id = '".$users_id."'"; $result = mysqli_query($dbc,$query); // Account locked error $errors = true; $message = "Account is unlocked. You may now try to log in again!"; $output = array('errorsExist' => $errors, 'message' => $message); } if($locked == "yes"){ /*hack around messy nested if statments*/ } else { if ($lock_date != "0000-00-00 00:00:00") { $locked = "yes"; // Clear the lock $query = "UPDATE users_logins_attempts SET lockDate = NULL, ip_address = NULL, failed_logins = 0 WHERE users_id = '".$users_id."'"; $result = mysqli_query($dbc,$query); } ?> Similar TutorialsI recently launched my new website, and in just a few days I have been locked out of my MySQL database.
My website makes use of a few tables within a MySQL database. However, now when my website tries to access that database, it is given no access -- and neither am I when I try to access it via the control panel.
I'm pretty sure that someone changed the password to my database. For my website, I wrote several PHP functions that use tables within the database. In order to connect to the database, I had to give the username and password within the PHP functions using the "mysql_connect" function.
mysqli_connect(host,username,password,dbname);
Because this information can be found inside the PHP functions, and because my PHP functions are located inside the "public" directory for my web host, could someone have gotten this information, and then changed my password through my control panel?
I have contacted my web host and they are investigating the issue of my password being changed. But does it sound as if someone could do something like this if the source code for all of my pages is in the "public" directory?
I'm no expert when it comes to building websites. I was happy to finally get my website to work. Now, it seems, that I have to deal with people being malicious. What's the best way to keep someone from being able to change the password to my database? Is it a problem for me to keep my functions in the same directory (the "public" directory) as my other website pages?
The good news is that people are starting to visit my website. The bad news is that some of these people have bad intent.
Thanks for your time.
This topic has been moved to MySQL Help. http://www.phpfreaks.com/forums/index.php?topic=355485.0 I am currently building a website which uses postbacks. How can I clear the postback so that it can only be posted once because at the minute when i refresh the page it keeps adding the same entry. Any help would be appreciated How do you clear GET variables after performing the action in the same page? I have tried to unset() them, but every time I refresh, the script reruns all over again and in the end, I have duplicate entries. What is the difference between... Code: [Select] $_SESSION['memberID']) = ''; and Code: [Select] unset($_SESSION['memberID']); And why would I want to use one versus the other? Thanks, Debbie I have a Credit Card Payment Form. A few things... 1.) For non-financial fields, I'm using a "sticky form". Code: [Select] <label for="firstName">First Name:</label> <input id="firstName" name="firstName" class="text" type="text" maxlength="20" value="<?php echo $firstName; ?>" /> After the user successfully submits the form, how can I erase these values out? Right now, if you hit the "Back" button, the form data is still there, which isn't very secure?! 2.) I read somewhere, that HTML secretly cache form values, and there is something you add to your HTML to prevent these - especially on the Credit Card # field. Any idea what I'm talking about? BTW, I'm not using Cookies, Sessions, or a DB to store any form data. Thanks, Debbie I downloaded a script for a poll/voting kinda thing for all my site visitors a while ago and then I tweaked it a bit. It is linked to a database. It grabs the question and possible answers from one database. It also stores user votes, ip addresses, and the date they voted in a database.
I went to change the question and possible answers in my poll by simply changing the options in the Database. This worked fine, but I found a big problem! If you have already voted in the poll, then it displays the results to you every time you visit the site . I assumed this was based off your IP since it is recorded in the database. So logically I thought if you cleared all the IP's in the DB, then the new question would display for every user, but to my alarm it is based off cookies. This is problem because even though I changed the question and options, if people have not cleared their cookies from the last time then the poll still displays the results even though they have not voted on the new question yet. Is there someway to clear everyone cookies or make the poll start fresh for everyone without drastically changing the code and how the entire thing works?
Edited by ryanmetzler3, 24 May 2014 - 09:33 PM. This topic has been moved to Third Party PHP Scripts. http://www.phpfreaks.com/forums/index.php?topic=359149.0 Morning All, Should be a quick one for the seasoned veterans! I'm learning the in's and out's of sanitizing my variables for input into my database (mysql). The following is my code; Code: [Select] $Username = mysql_real_escape_string($_POST['username']); $PWord = mysql_real_escape_string($_POST['pword']); $Email = mysql_real_escape_string($_POST['email']); $Fullname = mysql_real_escape_string($_POST['fullname']); $Address_1 = mysql_real_escape_string($_POST['address_1']); $Address_2 = mysql_real_escape_string($_POST['address_2']); $City = mysql_real_escape_string($_POST['city']); $Zip = mysql_real_escape_string($_POST['zip']); $Country = mysql_real_escape_string($_POST['country']); The following is my output; Error executing INSERT statement - INSERT INTO tblUser(User_Name, Full_Name, Email, Address_1, Address_2, City, Zip, Country, PWord)VALUES ('','','','','','','','','') Any ideas? Also; is mysql_real_escape_string valid for use on all types of input from the input box? I'm teaching myself a bit of OOP in php. found that i could pass an object into the SESSION array if i serialize() the object and then unserialize() it where i need it in other page files. all seems to work well until it comes time for a user to logout from my application and attempt to destroy the session. at times, when they log back in, this serialized SESSION value seems to still be set while other SESSION values have been cleared. at least i *thinnk* this is what is going on.
in my logout handler, i have the following:
$_SESSION = array(); // clear all SESSION vars setcookie(); // clear cookies session_destroy();but the above does not seem to be working. my guess is there is something native to serialized SESSION values that im not yet aware of. any help here would be much appreciated. Hi, I'm quite a newbie to PHP and am doing a website. Have got a login working and the registration half way there, but am now in process of putting validation in Registration form. Have got the errors appearing if domething isn't filled in or if the username is taken however, it clears all the fields and i would like it to keep the values in them if possible. Is there an easy way round this? I can give my code if needed Cozzy I'm calling a function that resets a couple arrays: public function resetStuff() { $this->someArray = array(); $this->someOtherArray = array(); } However, someOtherArray is not resetting!! How could that be? I can add debug statements to echo the size of the arrays before and after the function calls. It shows that: someArray went from n to 0 someOtherArray went from n to n How is that possible?? hi, i have made a website where people resgister their details of them and products. they have to enter the following details in form Name of company name of the product company address email id password mobile number contact and brief details about their company
user can then login with email id and pwd. now after login ..user will get a page where he can upload the photos of products images and their price, so now my question is that when he finishes uploading (|by clicking on upload button) the product images and price text box ..then on final uploaded webspage it should show all other things which he registerd before (company name , mobile number etc) along with images and price...hence the main question that user does not need to enter mobile and address while uploading images and filling proce ..but on the final page it should show mobile and address along with price and images..as user is not going to enter mobile and address again and again as he will have multiple products to upload.
I would appreciate your assistance, there are tons of login scripts and they work just fine. However I need my operators to login and then list their activities for the other operators who are logged in to see and if desired send their clients on the desired activity. I have the login working like a charm and the activities are listed just beautifully. How do I combine the two tables in the MySQL with PHP so the operator Logged in can only make changes to his listing but see the others. FIRST THE ONE script the member logges in here to the one table in MSQL: <?php session_start(); require_once('config.php'); $errmsg_arr = array(); $errflag = false; $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } $login = clean($_POST['login']); $password = clean($_POST['password']); if($login == '') { $errmsg_arr[] = 'Login ID missing'; $errflag = true; } if($password == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: login-form.php"); exit(); } $qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'"; $result=mysql_query($qry); if($result) { if(mysql_num_rows($result) == 1) { session_regenerate_id(); $member = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $member['member_id']; $_SESSION['SESS_FIRST_NAME'] = $member['firstname']; $_SESSION['SESS_LAST_NAME'] = $member['lastname']; session_write_close(); header("location: member-index.php"); exit(); }else { header("location: login-failed.php"); exit(); } }else { die("Query failed"); } ?> ................................................. ................................ Now I need the person who logged in to the table above to be able to make multiple entries to the table below <? $ID=$_POST['ID']; $title=$_POST['title']; $cost=$_POST['cost']; $activity=$_POST['activity']; $ayear=$_POST['aday']; $aday=$_POST['ayear']; $seats=$_POST['special']; $special=$_POST['seats']; mysql_connect("xxxxxx", "xxx350234427", "========") or die(mysql_error()); mysql_select_db("xxxx") or die(mysql_error()); mysql_query("INSERT INTO `activity` VALUES ('ID','$title', '$cost','$activity', '$aday', '$ayear', '$special', '$seats')"); Print "Your information has been successfully added to the database!" ?> Click <a href="member-profile.php">HERE</a> to return to the main menu <?php ?> Hi, so far I have managed to set up a somewhat basic login website with a mysql database backend. Once they have logged on they go to a "main menu" page. What I need to define is that user A sees button A but only that button, etc. (Then of course that same rule would have to apply if they tried to directly go to the page, but I am guessing I can do that in the same way that I currently do to force a login). If anyone has any tutorials or sample code I would much appreciate it. Thanks, Actually, what i want to do is to use the email to fetch the $email,$password and $randomnumber from database after Code: [Select] $genre = $_POST['listMovies']; $result = mysql_query("SELECT * FROM movieTable SORT BY title"); $column = 1; define("COLUMNS", 2); $movieCounter = 0; echo "<h1>by " .$genre ."</h1><table>"; while ($info = mysql_fetch_array($result)) { $genre1 = $info['genre1']; $genre2 = $info['genre2']; $genre3 = $info['genre3']; $title = $info['title']; $link = $info['imdbLink']; if ($genre == $genre1 || $genre == $genre2 || $genre == $genre3) { $movieCounter++; if ($column == 1) {echo "<tr>";} echo "<td><a href='" .$link ."'>".$title ."</a></td>"; $column++; if ($column > COLUMNS) { echo "</tr>"; $column = 1; } } } echo "<table><tr><td>" .$movieCounter ." movies found.</td></tr></table>"; if ($column > 1 && $column <= COLUMNS) { while ($column++ <= COLUMNS) echo "<td></td>"; echo "</tr>"; } echo "</table>"; $genre = ""; now that you have the code, i have 2 questions about this. first one is this. whenever i first load this code everything is empty as it should be. then i select from a form a movie genre and everything work lovely. the problem is that the movies that are loaded are still there when i come back to the page. i need a way to clearing this out everytime the code is run, while still displaying the movies. also .. this is just a php noob question here. why is that when i run a query like this Code: [Select] $result = mysql_query("SELECT * FROM movieTable SORT BY title"); i cannot use mysql_fetch_array or mysql_fetch_row? but it works when i do it like this Code: [Select] $result = mysql_query("SELECT * FROM movieTable"); like i said that's just a noob question that i cannot for the life of me figure out. thanks for the help, this forum has been the biggest help to me learning php. I am following along in a PHP, MySQL book and the way they clear session variables is by: Code: [Select] session_start(); session_unset(); session_destroy(); They clear session variables like that in that exact order. My question is that this apparently clears ALL session variables for the browser in use. Every website I have visited when you click a LOGOUT button ONLY logs you out of their specific site and DOES NOT seem to clear ALL session variables as this would log you out of any other websites that you might be logged into with that same browser. So, I went to the PHP website and found out that instead of using the session_unset () function you can clear individual session variables using the unset ($_SESSION['varname']) function. Is this a good way of clearing session variables ONLY for a PARTICULAR website and NOT clearing session variables for the WHOLE browser? If so, would I then NOT use the session_destroy () function after clearing each individual session variable specific to that ONE website using unset ($_SESSION['varname'])? Thank you in advance! I'm trying to use this php to clear out the session variables and return to the index page. However it's not clearing them out. Any ideas? logout.php Code: [Select] <?php session_start(); unset($_SESSION['user_id']); unset($_SESSION['username']); session_destroy(); header("Location: http://aaronhaas.com/pitchshark6/index.php?vid_id=1"); ?> then in my navigation I'm using this code to either display their username and a logout link to logout.php or if they are not logged in display a sign in link. Code: [Select] <?php // if logged in if (isset($_SESSION['user_id'])) { // display echo "<a href='#'>".$_SESSION['username']."</a> "; echo "<a href='scripts/logout.php'>Log Out</a> "; } // if not logged in else { // display login link echo "<a href='login.php'>Sign In</a>"; } ?> here is my super simple login script Code: [Select] $username = $_POST['username']; $password = $_POST['password']; //Check if the username or password boxes were not filled in if(!$username || !$password){ //if not display an error message echo "<center>You need to fill in a <b>Username</b> and a <b>Password</b>!</center>"; }else{ // find user by username and password - working $userQuery = 'SELECT * FROM users WHERE user_name ='.'"'. $username.'" AND password='.'"'. $password.'"' ; $users = mysql_query($userQuery); $user = mysql_fetch_array($users); $_SESSION['user_id'] = $user['user_id']; $_SESSION['username'] = $user['username']; header("Location: http://aaronhaas.com/pitchshark6/index.php?vid_id=1"); } Hi, I am getting frustrated beyond belief at the moment with trying to get a very simple script to run, I am using PHP 5.3.3 and MySQL 5.1 on a Win2k8 server with IIS7.5. Basically my script is connecting to a local database, running a single select query, returning those rows and building up a string from them. The problem is that I am receiving complete BS responses from PHP that the access is denied for the user being specified. This is complete rubbish since the user can connect via mysql, sqlyog, ASP.NET MVC without issue but for some bizarre reason it is not working via PHP. The code for the script is here : Code: [Select] <?php $mysql = mysql_connect('127.0.0.1:3306', 'myuser', 'mypass', 'mydatabase'); if (!$mysql) { die(mysql_error()); $content = "<nobr></nobr>"; } else { $result = mysql_query('SELECT * FROM tblEventGroup'); $content = "<nobr>"; if ($result) { while($row = mysql_fetch_assoc($result)) { $content .= "<span>"; $content .= $row['GroupName']; $content .= "</span>"; $content .= "<a href=\"../Event/EventSearch?groupid="; $content .= $row['GroupId']; $content .= "\" target=\"_blank\">Book here</a> "; } } mysql_close($mysql); $content .= "</nobr>"; } ?> I cannot for the life of me understand what the problem is, the return error is Access denied for user 'myuser'@'localhost' (using password: YES) |
|||||||