Forum Moderators: coopster
i have somefin like this
$Limit = counter;
mysql_query("DELETE FROM table WHERE counter >= '$limit'") or die(mysql_error());
i dont knw if it makes sense...Am new to php and i need help please
Also, do you want to ban the actual user, or do you want to ban the IP address of someone trying to login to an account and failing 3 times in a row?
NOTE: My personal thought is: I'm glad they don't do any of the preceding here at WebmasterWorld, because sometimes I'm a bit lazy and I forgot the login information for this account, so I used my old one for quite a while before I went to the trouble of trying to access this one again, and you might not be seeing this post if they had banned me after the 3rd failed login attempt to an account from an IP, because I used a really old password for this account and tried probably 30 times with different variations of the password I normally use now before I finally had to request my password and hope it came to an e-mail address that was still active to get in. Since you have actually tried what you are requesting with some code I'll see if I can help you through it if it's what you really want to do, but I strongly advise against it, unless there is some reason for what you want I am not seeing.
1.) Set a col in your database called logins.
(Should be and INT(1) NOT NULL default 0)
2.) When a user logs in set the col to the current value +1.
3.) When the user accesses the site, check username, password, login count.
Here's what a portion of the code looks like:
When the visitor tries to access get username,password,logins:
$sql="SELECT username,password,logins FROM table WHERE username='$username'";
$qry=mysql_query($sql);
$result=mysql_fetch_array($qry);
/* check the total number of logins */
if($result['logins']==3) {
$TooManyLogins="Yes"
}
else {
$sql2="UPDATE table SET logins=logins+1";
mysql_query($sql2);
}
if($username===$result['username'] && $password===$result['password']) {
if($TooManyLogins==="Yes") {
echo "Your Logins have expired";
exit();
}
else {
The rest of your code here.
}
}
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="text" id="password"></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
checklogin.php
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="logins"; // Database name
$tbl_name="logins"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
//$sql1="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
//$result1=mysql_query($sql1);
// Mysql_num_row is counting table row
//$count=mysql_num_rows($result1);
// If result matched $myusername and $mypassword, table row must be 1 row
$sql="SELECT username,password,logins FROM $tbl_name WHERE username='$username'and logins='$logins'";
$query=mysql_query($sql);
$result = MYSQL_QUERY($query);
/* check the total number of logins */
if($result['$logins']==3) {
$TooManyLogins="Yes";
}
else {
$sql2="UPDATE table SET $logins=$logins+1";
mysql_query($sql2);
}
if($username===$result['username'] && $password===$result['password']) {
if($TooManyLogins==="Yes") {
echo "Your Logins have expired";
exit();
}
else {
if($logins==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
}
}
?>
// You don't have the number of logins yet, so you cannot select where logins = $logins.
$sql="SELECT username,password,logins FROM $tbl_name WHERE username='$username'";
$query=mysql_query($sql);
/* mysql_fetch_array is what I usually use. What you had won't work. */
$result = mysql_fetch_array($query);
/* check the total number of logins :: Removed the $ from logins below. Should be a string. Let's check to see if they're the right user before we do anything with logins... makes more sense. */
if($username===$result['username'] && $password===$result['password']) {
/* If logins is greater than or = 3 is a bit safer. */
if($result['logins']>=3) {
echo "Your Logins have expired";
exit();
}
else {
$sql2="UPDATE $tbl_name SET $logins=$logins+1";
mysql_query($sql2);
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
}
else {
echo "Wrong Username or Password";
}
//Create query
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);
/* If logins is greater than or = 3 is a bit safer. */
if($result['logins']>=3) {
echo "Your Logins have expired";
exit();
}else {
$sql2="UPDATE members SET logins=logins+1 WHERE login like '$login'" ;
mysql_query($sql2); }
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
session_write_close();
header("location: member-index.php");
exit();
}else {
//Login failed
header("location: login-failed.php");
exit();
}
}else {
die("Query failed");
}
?>
One last thing...Everything is working alryt except this script
if($result['logins']>=3) {
echo "Your Logins have expired";
exit();
}
And the mysql_fetch_array gives me an error"
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\Program_Files\wamp\www\Votingsystem\login-exec.php on line 59
Query failed"//Create query
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);/* If logins is greater than or = 3 is a bit safer. */
if($result['logins']>=3) {
echo "Your Logins have expired";
exit();
}else {
$sql2="UPDATE members SET logins=logins+1 WHERE login like '$login'" ;
mysql_query($sql2); }
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
session_write_close();
header("location: member-index.php");
exit();
}else {
//Login failed
header("location: login-failed.php");
exit();
}
}else {
die("Query failed");
}
1.) The error means you tried to select something and nothing was found matching your select statement.
2.) This section of code:
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);
Does not return (get and pass to the PHP script) anything from the database, all it does is run the query... You will need to run some version of:
'mysql_fetch_blah', which in this case is either mysql_fetch_array() or mysql_fetch_row()... One of the biggest differences is mysql_fetch_array() returns the associative indices (names of the cols) as well as the numerical value of the indices, where mysql_fetch_row() only returns numerical. IOW if you want to be able to use col names ($result['logins']) rather than just a numerical 'identifier' ($result[N] EG $result[2]) to determine the array piece to evaluate you need to use mysql_fetch_array().
##### @ ##### @ #####
The preceding stated let's edit and trouble shoot:
//Create query
/* and echo the query so you can see what's being POSTed, what you are sending to the db and compare it to the stored db information manually to ensure there is a match. */
echo $sql="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
/* If the preceding does not work, echo back the 'passed' (POSTed) information and compare it to a 'hard coded' login and password into the select to see where + what the difference is:
echo "Login Variable: ".$login."<br /><br />Password Variable: ".$_POST['password']."<br /><br />";
echo $sql="SELECT * FROM members WHERE login='TestLogin' AND passwd='".md5('TheActualPassword')."'";
*/
$qry=mysql_query($sql);
$result=mysql_fetch_array($qry)
/* After being able to see the sql and compare it to the db information, let's see exactly what's stored in the $result array. */
print_r($result);
// Then let's exit until we know this part of the script works correctly.
exit();
/* Once that part is working, let's check to see if there was a successful query + result first, because if not and we know the select is correct and functioning, we know we had an unsuccessful login attempt: Using a negative comparison (preceded with !) should do the trick. The following basically says if No $result= 'the query' the login failed. */
if(!$result=mysql_fetch_array($qry)) {
//Login failed
header("location: login-failed.php");
exit();
}
/* If logins is greater than or = 3 is a bit safer... Since we know we had a 'good query' to get here we need to check the number of logins to see if we should let them in. */
elseif($result['logins']>=3) {
echo "Your Logins have expired";
exit();
}
/* If we did not 'exit' in either of the two preceding if statements, we can default to this else statement, because we had to have a good query (login) and logins are not = to or > 3. (In a 'super secure' environment, it would probably be better to do things a bit differently, but this way is easiest and should be sufficient for your needs.) */
else {
// Edited to the exact login used and accessed by the SELECT.
$sql2="UPDATE members SET logins=logins+1 WHERE login='".$result['login']."'" ;
// We don't need anything to be returned to PHP with this portion of the script, so just using mysql_query() without a 'fetch' is fine.
mysql_query($sql2);
/* Check whether the query was successful or not.
We don't really need to do this, because I moved it up in the script where it makes more sense and commented it out... If we made it here, we know there was a valid login and the login count was < 3.
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
*/
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
session_write_close();
header("location: member-index.php");
exit();
}
It execute the header("location:login-fail.php");
whether the username and password is right or wrong
i was thinking of somefin like this
if(!$username===$result['username'] && !$password===$result['password']) {
But i coded my script to encrypt the password...passwd='".md5($_POST['password'])."' so i can' get it ryt.
