homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

User login process

Msg#: 4393520 posted 6:36 pm on Dec 2, 2011 (gmt 0)

I'm doing my login processing script.

There are three possibilities with several things in between, but for the life of me, I can't make it work all together.

1. Check admin table: if found delete any previous attempts, add session vars, and put in the time and date of login, then send them right into the admin screen.

1a. If in admin table, but wrong password, add to attempts and send back to login again or if number of attempts >9 send them to the ban page.

2. If not in admin table, check user table: if found, add session vars and send right into user screen.

3. Not in either, potential hacker: check if attempt session var exists; if not, create it. Now equals 1. Send them back to login screen.

3a. If var exists add one to it and see if it's >9. If so send to ban page otherwise, back to login.

I have tried if elseif else, but apparently, you have to have else be the last option and it get stuck parsing. I'm not sure I can do a case/switch here. Anyone know the best way to do this? I have to get this completed.




Msg#: 4393520 posted 9:33 pm on Dec 2, 2011 (gmt 0)

I tried to make a switch case: still not working


// username and password sent from form
$myusername=mysql_real_escape_string((addcslashes($_POST['username'], "%_")));
$mypassword=mysql_real_escape_string((addcslashes($_POST['password'], "%_")));

switch ($usertype){

case admin:
$sql= "SELECT * FROM $admin_table WHERE username='$myusername' and password='$mypassword'";
$result= mysql_query($sql)or die("Cannot find your login credentials " . mysql_error());
$row = mysql_fetch_array($result);
// If result matched $myusername and $mypassword, table row must be 1 row

// Register $myusername, $mypassword and redirect
$_SESSION['username']= $row['username'];
$_SESSION['useraccess']= $row['access_level'];
// Delete attempts from admins
$q = "UPDATE $admin_table SET attempts = 0 WHERE username = '$myusername'";
$delattempts= @mysql_query($q)or die(mysql_error());
// Log date and time
$sql = "UPDATE $admin_table SET last_login = '". date("Y-m-d h:i:s"). "' WHERE username = '$myusername'";
$logdate = mysql_query($sql) or die(mysql_error());
// Send to Admin index page
case member:
// If they are not found in the Admin table check the Member table
$sql="SELECT * FROM $user_table WHERE member_login='$myusername' and member_password='$mypassword'";
$row = mysql_fetch_array($result);

// Mysql_num_row is counting table row
// Register $myusername, $mypassword and redirect
$_SESSION['login']= $row['member_login'];
$_SESSION['id']= $row['contactid'];
$_SESSION['useraccess']= 'User';

case adminwrongpass:
$sql="SELECT attempts FROM $admin_table WHERE username='$myusername'";
echo 'Your IP Address has been logged! ';
echo $ip;
//if found how many attempts do they have?
$row = mysql_fetch_array($result);
echo '<br />';
echo $attempts;
echo '&nbsp; attempts';
$addattempt="UPDATE $admin_table SET attempts = attempts +1 WHERE username= '$myusername' ";

// if they have more than 9 send them to the banned page
if ($attempts>9){
echo '<meta http-equiv="refresh" content="2;url=banned.html">';
else {
//send them back to the login page
echo '<meta http-equiv="refresh" content="2;url=index.php">';
echo "Wrong Username or Password";
echo '<br />';
echo 'Your IP Address has been logged!&nbsp;';
echo $ip;
if (isset($_SESSION['attempts']))
$_SESSION['attempts'] = $_SESSION['attempts']+1;
//check if session attempts are more than 9. If so send to ban page otherwise back to login.
if ($_SESSION['attempts']>9){
echo '<meta http-equiv="refresh" content="2;url=banned.html">';
$_SESSION['attempts'] = 1;
// echo '<meta http-equiv="refresh" content="2;url=index.php">'
echo $usertype;
Am I even in the ballpark?


WebmasterWorld Senior Member eelixduppy us a WebmasterWorld Top Contributor of All Time 5+ Year Member

Msg#: 4393520 posted 10:42 pm on Dec 2, 2011 (gmt 0)

Here is my quick on-the-fly attempt at refactoring your code to look and work a little better for you. It is probably not all there but this should get you started:


//use constants instead of variables, ideally should be defined in config file
define("USER_TABLE", "users");
define("ADMIN_TABLE", "authorize");
define("DOMAIN", "www.example.com");

// don't forget to start the session

// escape the username/password only ONCE
$myusername = mysql_real_escape_string($_POST['username']);
$mypassword = mysql_real_escape_string($_POST['password']);

// first you would want to know if they attempted 10 times
if(isset($_SESSION['attempts']) && $_SESSION['attempts'] >= 10) {
header(sprintf("Location: https://%s/banned.html", DOMAIN));

// then we need to see if they logged in successfully
$q = sprintf("SELECT * FROM `%s` WHERE `member_login` = '%s' AND `member_password` = '%s'", USER_TABLE, $myusername, $mypassword);
$result = mysql_query($q) or die(mysql_error());

// if user is in table (with password)
if(mysql_num_rows($result) == 1) {
$row = mysql_fetch_assoc($result);
$_SESSION['username'] = $row['username'];
$_SESSION['useraccess'] = $row['acces_level'];

$q = sprintf("DELETE FROM `%s` WHERE `username` = '%s'", ADMIN_TABLE, $myusername);

header(sprintf("Location: https://%s/members/index.php", DOMAIN));
} else {
// wrong credntials
$q = sprintf("INSERT INTO `%s` (attempts, last_login, username) VALUES (0, NOW(), %s) ON DUPLICATE KEY UPDATE `attempts` = `attempts`+1", ADMIN_TABLE, $myusername);
mysql_query($q) or die(mysql_error());
$_SESSION['attempts'] = 0;
// it would be worth thinking about using the IP address as the identifier here
// for the person making the login attemps, because currently they could brute force picking different usernames
// each time and not be detected


Msg#: 4393520 posted 4:20 pm on Dec 5, 2011 (gmt 0)

Thank you so much!
What is the %s?

Spit up an error unexpected T_variable on line 41.

We are checking for members; what about admins? Where do I check for them? Start another block of code?


WebmasterWorld Senior Member eelixduppy us a WebmasterWorld Top Contributor of All Time 5+ Year Member

Msg#: 4393520 posted 2:16 pm on Dec 6, 2011 (gmt 0)

The %s is a placeholder for where a string is going to be inserted into. Look at the documentation for sprintf [php.net] for more information regarding this.

>> line 41
There is probably something missing (e.g. quote, parenthesis, etc). Look at line 41 and then backtrack up the code to find it (I can't see it at a quick glance).

>>what about admins?
Typically there would be some sort of access control identifier in the users table that references a different table of privileges for your site. That way you would be able to have many different user types, all with potentially different access. What I gave you was a quick hint at how it may be accomplished, but obviously you are going to have to code it further to suit your needs.


Msg#: 4393520 posted 3:01 pm on Dec 6, 2011 (gmt 0)


Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved