Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

User login process



6:36 pm on Dec 2, 2011 (gmt 0)

I'm doing my login processing script.

There are three possibilities with several things in between, but for the life of me, I can't make it work all together.

1. Check admin table: if found delete any previous attempts, add session vars, and put in the time and date of login, then send them right into the admin screen.

1a. If in admin table, but wrong password, add to attempts and send back to login again or if number of attempts >9 send them to the ban page.

2. If not in admin table, check user table: if found, add session vars and send right into user screen.

3. Not in either, potential hacker: check if attempt session var exists; if not, create it. Now equals 1. Send them back to login screen.

3a. If var exists add one to it and see if it's >9. If so send to ban page otherwise, back to login.

I have tried if elseif else, but apparently, you have to have else be the last option and it get stuck parsing. I'm not sure I can do a case/switch here. Anyone know the best way to do this? I have to get this completed.



9:33 pm on Dec 2, 2011 (gmt 0)

I tried to make a switch case: still not working


// username and password sent from form
$myusername=mysql_real_escape_string((addcslashes($_POST['username'], "%_")));
$mypassword=mysql_real_escape_string((addcslashes($_POST['password'], "%_")));

switch ($usertype){

case admin:
$sql= "SELECT * FROM $admin_table WHERE username='$myusername' and password='$mypassword'";
$result= mysql_query($sql)or die("Cannot find your login credentials " . mysql_error());
$row = mysql_fetch_array($result);
// If result matched $myusername and $mypassword, table row must be 1 row

// Register $myusername, $mypassword and redirect
$_SESSION['username']= $row['username'];
$_SESSION['useraccess']= $row['access_level'];
// Delete attempts from admins
$q = "UPDATE $admin_table SET attempts = 0 WHERE username = '$myusername'";
$delattempts= @mysql_query($q)or die(mysql_error());
// Log date and time
$sql = "UPDATE $admin_table SET last_login = '". date("Y-m-d h:i:s"). "' WHERE username = '$myusername'";
$logdate = mysql_query($sql) or die(mysql_error());
// Send to Admin index page
case member:
// If they are not found in the Admin table check the Member table
$sql="SELECT * FROM $user_table WHERE member_login='$myusername' and member_password='$mypassword'";
$row = mysql_fetch_array($result);

// Mysql_num_row is counting table row
// Register $myusername, $mypassword and redirect
$_SESSION['login']= $row['member_login'];
$_SESSION['id']= $row['contactid'];
$_SESSION['useraccess']= 'User';

case adminwrongpass:
$sql="SELECT attempts FROM $admin_table WHERE username='$myusername'";
echo 'Your IP Address has been logged! ';
echo $ip;
//if found how many attempts do they have?
$row = mysql_fetch_array($result);
echo '<br />';
echo $attempts;
echo '&nbsp; attempts';
$addattempt="UPDATE $admin_table SET attempts = attempts +1 WHERE username= '$myusername' ";

// if they have more than 9 send them to the banned page
if ($attempts>9){
echo '<meta http-equiv="refresh" content="2;url=banned.html">';
else {
//send them back to the login page
echo '<meta http-equiv="refresh" content="2;url=index.php">';
echo "Wrong Username or Password";
echo '<br />';
echo 'Your IP Address has been logged!&nbsp;';
echo $ip;
if (isset($_SESSION['attempts']))
$_SESSION['attempts'] = $_SESSION['attempts']+1;
//check if session attempts are more than 9. If so send to ban page otherwise back to login.
if ($_SESSION['attempts']>9){
echo '<meta http-equiv="refresh" content="2;url=banned.html">';
$_SESSION['attempts'] = 1;
// echo '<meta http-equiv="refresh" content="2;url=index.php">'
echo $usertype;
Am I even in the ballpark?


10:42 pm on Dec 2, 2011 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Here is my quick on-the-fly attempt at refactoring your code to look and work a little better for you. It is probably not all there but this should get you started:


//use constants instead of variables, ideally should be defined in config file
define("USER_TABLE", "users");
define("ADMIN_TABLE", "authorize");
define("DOMAIN", "www.example.com");

// don't forget to start the session

// escape the username/password only ONCE
$myusername = mysql_real_escape_string($_POST['username']);
$mypassword = mysql_real_escape_string($_POST['password']);

// first you would want to know if they attempted 10 times
if(isset($_SESSION['attempts']) && $_SESSION['attempts'] >= 10) {
header(sprintf("Location: https://%s/banned.html", DOMAIN));

// then we need to see if they logged in successfully
$q = sprintf("SELECT * FROM `%s` WHERE `member_login` = '%s' AND `member_password` = '%s'", USER_TABLE, $myusername, $mypassword);
$result = mysql_query($q) or die(mysql_error());

// if user is in table (with password)
if(mysql_num_rows($result) == 1) {
$row = mysql_fetch_assoc($result);
$_SESSION['username'] = $row['username'];
$_SESSION['useraccess'] = $row['acces_level'];

$q = sprintf("DELETE FROM `%s` WHERE `username` = '%s'", ADMIN_TABLE, $myusername);

header(sprintf("Location: https://%s/members/index.php", DOMAIN));
} else {
// wrong credntials
$q = sprintf("INSERT INTO `%s` (attempts, last_login, username) VALUES (0, NOW(), %s) ON DUPLICATE KEY UPDATE `attempts` = `attempts`+1", ADMIN_TABLE, $myusername);
mysql_query($q) or die(mysql_error());
$_SESSION['attempts'] = 0;
// it would be worth thinking about using the IP address as the identifier here
// for the person making the login attemps, because currently they could brute force picking different usernames
// each time and not be detected


4:20 pm on Dec 5, 2011 (gmt 0)

Thank you so much!
What is the %s?

Spit up an error unexpected T_variable on line 41.

We are checking for members; what about admins? Where do I check for them? Start another block of code?


2:16 pm on Dec 6, 2011 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

The %s is a placeholder for where a string is going to be inserted into. Look at the documentation for sprintf [php.net] for more information regarding this.

>> line 41
There is probably something missing (e.g. quote, parenthesis, etc). Look at line 41 and then backtrack up the code to find it (I can't see it at a quick glance).

>>what about admins?
Typically there would be some sort of access control identifier in the users table that references a different table of privileges for your site. That way you would be able to have many different user types, all with potentially different access. What I gave you was a quick hint at how it may be accomplished, but obviously you are going to have to code it further to suit your needs.


3:01 pm on Dec 6, 2011 (gmt 0)


Featured Threads

Hot Threads This Week

Hot Threads This Month