1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:20 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

User login process

         

Gilead

6:36 pm on Dec 2, 2011 (gmt 0)

10+ Year Member



I'm doing my login processing script.

There are three possibilities with several things in between, but for the life of me, I can't make it work all together.

1. Check admin table: if found delete any previous attempts, add session vars, and put in the time and date of login, then send them right into the admin screen.

1a. If in admin table, but wrong password, add to attempts and send back to login again or if number of attempts >9 send them to the ban page.

2. If not in admin table, check user table: if found, add session vars and send right into user screen.

3. Not in either, potential hacker: check if attempt session var exists; if not, create it. Now equals 1. Send them back to login screen.

3a. If var exists add one to it and see if it's >9. If so send to ban page otherwise, back to login.

I have tried if elseif else, but apparently, you have to have else be the last option and it get stuck parsing. I'm not sure I can do a case/switch here. Anyone know the best way to do this? I have to get this completed.

Thanks!

Gilead

9:33 pm on Dec 2, 2011 (gmt 0)

10+ Year Member



I tried to make a switch case: still not working
session_start();

include('dbconfig.php');
$user_table="users";
$admin_table="authorize";


// username and password sent from form
$myusername=mysql_real_escape_string((addcslashes($_POST['username'], "%_")));
$mypassword=mysql_real_escape_string((addcslashes($_POST['password'], "%_")));




switch ($usertype){

case admin:
$sql= "SELECT * FROM $admin_table WHERE username='$myusername' and password='$mypassword'";
$result= mysql_query($sql)or die("Cannot find your login credentials " . mysql_error());
$row = mysql_fetch_array($result);
$admcount=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($admcount==1){
// Register $myusername, $mypassword and redirect
$_SESSION['username']= $row['username'];
$_SESSION['useraccess']= $row['access_level'];
// Delete attempts from admins
$q = "UPDATE $admin_table SET attempts = 0 WHERE username = '$myusername'";
$delattempts= @mysql_query($q)or die(mysql_error());
// Log date and time
$sql = "UPDATE $admin_table SET last_login = '". date("Y-m-d h:i:s"). "' WHERE username = '$myusername'";
$logdate = mysql_query($sql) or die(mysql_error());
// Send to Admin index page
header("location:/admin/index.php");
break
case member:
// If they are not found in the Admin table check the Member table
$sql="SELECT * FROM $user_table WHERE member_login='$myusername' and member_password='$mypassword'";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

// Mysql_num_row is counting table row
$mcount=mysql_num_rows($result);
if($mcount==1){
// Register $myusername, $mypassword and redirect
$_SESSION['login']= $row['member_login'];
$_SESSION['id']= $row['contactid'];
$_SESSION['useraccess']= 'User';

header("location:members/index.php");
break
case adminwrongpass:
$sql="SELECT attempts FROM $admin_table WHERE username='$myusername'";
$ip=$_SERVER['REMOTE_ADDR'];
echo 'Your IP Address has been logged! ';
echo $ip;
$result=mysql_query($sql);
//if found how many attempts do they have?
$row = mysql_fetch_array($result);
$attempts=$row['attempts'];
echo '<br />';
echo $attempts;
echo '&nbsp; attempts';
$addattempt="UPDATE $admin_table SET attempts = attempts +1 WHERE username= '$myusername' ";
mysql_query($addattempt);

// if they have more than 9 send them to the banned page
if ($attempts>9){
echo '<meta http-equiv="refresh" content="2;url=banned.html">';
}
else {
//send them back to the login page
echo '<meta http-equiv="refresh" content="2;url=index.php">';
}
}
break
default:
echo "Wrong Username or Password";
echo '<br />';
$ip=$_SERVER['REMOTE_ADDR'];
echo 'Your IP Address has been logged!&nbsp;';
echo $ip;
if (isset($_SESSION['attempts']))
$_SESSION['attempts'] = $_SESSION['attempts']+1;
//check if session attempts are more than 9. If so send to ban page otherwise back to login.
if ($_SESSION['attempts']>9){
echo '<meta http-equiv="refresh" content="2;url=banned.html">';
else
$_SESSION['attempts'] = 1;
// echo '<meta http-equiv="refresh" content="2;url=index.php">'
}
}
echo $usertype;
Am I even in the ballpark?

eelixduppy

10:42 pm on Dec 2, 2011 (gmt 0)



Here is my quick on-the-fly attempt at refactoring your code to look and work a little better for you. It is probably not all there but this should get you started: 


require_once('dbconfig.php');

//use constants instead of variables, ideally should be defined in config file
define("USER_TABLE", "users");
define("ADMIN_TABLE", "authorize");
define("DOMAIN", "www.example.com");

// don't forget to start the session
session_start();

// escape the username/password only ONCE
$myusername = mysql_real_escape_string($_POST['username']);
$mypassword = mysql_real_escape_string($_POST['password']);

// first you would want to know if they attempted 10 times
if(isset($_SESSION['attempts']) && $_SESSION['attempts'] >= 10) {
 header(sprintf("Location: https://%s/banned.html", DOMAIN));
 exit;
}

// then we need to see if they logged in successfully
$q = sprintf("SELECT * FROM `%s` WHERE `member_login` = '%s' AND `member_password` = '%s'", USER_TABLE, $myusername, $mypassword);
$result = mysql_query($q) or die(mysql_error());

// if user is in table (with password)
if(mysql_num_rows($result) == 1) {
 $row = mysql_fetch_assoc($result);
 $_SESSION['username'] = $row['username'];
 $_SESSION['useraccess'] = $row['acces_level'];

 $q = sprintf("DELETE FROM `%s` WHERE `username` = '%s'", ADMIN_TABLE, $myusername);
 mysql_query($q);

 header(sprintf("Location: https://%s/members/index.php", DOMAIN));
 exit;
} else {
// wrong credntials
 $q = sprintf("INSERT INTO `%s` (attempts, last_login, username) VALUES (0, NOW(), %s) ON DUPLICATE KEY UPDATE `attempts` = `attempts`+1", ADMIN_TABLE, $myusername);
 mysql_query($q) or die(mysql_error());
 if(!isset($_SESSION['attempts'])
 $_SESSION['attempts'] = 0;
 $_SESSION['attempts']++;
// it would be worth thinking about using the IP address as the identifier here
// for the person making the login attemps, because currently they could brute force picking different usernames
// each time and not be detected
}

Gilead

4:20 pm on Dec 5, 2011 (gmt 0)

10+ Year Member



Thank you so much!
What is the %s?

Spit up an error unexpected T_variable on line 41.

We are checking for members; what about admins? Where do I check for them? Start another block of code?

eelixduppy

2:16 pm on Dec 6, 2011 (gmt 0)



The %s is a placeholder for where a string is going to be inserted into. Look at the documentation for sprintf [php.net] for more information regarding this.

>> line 41
There is probably something missing (e.g. quote, parenthesis, etc). Look at line 41 and then backtrack up the code to find it (I can't see it at a quick glance).

>>what about admins?
Typically there would be some sort of access control identifier in the users table that references a different table of privileges for your site. That way you would be able to have many different user types, all with potentially different access. What I gave you was a quick hint at how it may be accomplished, but obviously you are going to have to code it further to suit your needs.

Gilead

3:01 pm on Dec 6, 2011 (gmt 0)

10+ Year Member



Thanks!
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:20 am Apr 28, 2026