Username: Password:
Geek Answers Handbook

PHP login form

<form action="form.php" method="post"> Username: <input type="text" name="user" maxlength="50" value="" /> Password: <input type="password" name="pass" maxlength="20" value="" /> <input type="submit" name="Submit" value="Submit" /> </form> <?php $Accesstrys = 0; if($_POST['Submit'] == "Submit") { $Accesstrys++; if($Acesstrys == 3) { $ip = getenv("REMOTE_ADDR"); $file = fopen("Loginlimit/$ip",'w'); fwrite($file,"$Accesstrys:$ip"); } } ?>

Im trying to encode PHP Login Script gives you 3 attempts to log in, if you fail when it freezes, let's say 10 minutes.

far from complete, but I tested this and it did not create / write a file with my ip. what is wrong with them.

+4
source share
8 answers

Since PHP is server-side, your $Accesstrys variable is set to 0 with every request.

The key is using sessions. Try increasing $_SESSION["AccessTrys"] instead of $Accesstrys

+7
source

PHP, like most dynamic languages ​​used specifically for web applications, runs in a stateless environment. To track login attempts between HTTP requests, you need a session for your users:

 <?php session_start(); if (!isset($_SESSION['Accesstrys'])) { $_SESSION['Accesstrys'] = 0; } $_SESSION['Accesstrys']++; // ... your code goes here ...
+3
source

Presumably, the username and password combination is not hardcoded in the script, but is retrieved from some database. In this case, why not just include a new column for each user. This solves the problem if the user simply deletes the session cookie on every third attempt.

The database will also allow you to “block” accounts when it has reached 3 failed attempts.

If you feel that you really need security, you can use a mixture of sessions and database columns, but store session data in a database. Google has many examples of how to do this using the set_session_save_handler function.

+2
source

You want to use the database to store the number of attempts (by IP address or better by username), as others mentioned that your $ Accesstrys will reset to zero for each request.

I am surprised that many people suggested using sessions to track the number of attempts. There is a fundamental security flaw - if login attempts were made by an automated bot trying to hack into your account, there would be no cookies (or URL session identifier), and your tracking of the access session would be useless.

+2
source

At first glance, it seems that you overwrite @Accesstrys every time from 0, giving you a maximum of 1. What you need to do is set the $ Accestrys file to 0 and then set the variable to file, increase the variable, and then set the file to a variable.

+1
source

There are many problems that you use. for instance

  • REMOTE_ADDR is not unique to each user.
  • Writing information to a file will not work if you do not care about simultaneously entering users on the server.
  • $ Accesstry ++ disappears with every use, so its value will never be saved.
  • etc..

You need to use the Sessions function and store the information in a session or database. Take a look at http://us.php.net/manual/en/features.sessions.php

+1
source

Each time you submit an attempt, it resets the number of access attempts to 0. You need to save the number of attempts in the server-side solution, such as a database or session.

EDIT As mentioned in my comments, my previous brain about placing such information in a cookie is the worst practice. Thanks to the stars for editing the community.

0
source

I would like to add one more problem to the code, and not check the send value equal to it, use ISSET.

 if(isset($_POST['Submit'])) { // Action code }

Check out examples of effective login form design.
Refer to the links:
Login Form Code
Opening a file and writing - PHP function
Session to track value until session / browser expires

0
source

More articles:


All Articles