限制访问登录一些分钟PHP

时间:2015-04-19 13:25:38

标签: php mysql

我的表单如下所示..我希望在用户输入错误的密码3次之后执行操作,在他的帐户被锁定几分钟之后...我如何在我的表单中实现?

<?php

session_start();

if(isset($_POST['username']) && isset($_POST['password'])){

$username = $_POST['username'];
$password = $_POST['password'];


$connect = mysql_connect('localhost', 'root', 'root');

mysql_selectdb('lr') or die('Couldnt find database');

$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);

if($numrows !=0){

   while ($row = mysql_fetch_assoc($query)){

        $dbuser = $row['username'];
        $dbpass = $row['password'];

   }

   if ($username == $dbuser && $password == $dbpass){

        $_SESSION['username'] = $dbuser;
            if($_SESSION['username']){
        echo 'Welcome ' . $_SESSION['username'] . ' ! <br>';
        echo 'Click <a href = "index.php"> here </a> to log out !';


            }
   } else
        echo 'Incorrect Username or Password Combinations ';

} else
    die('That user does not exist'); 

}


?>

1 个答案:

答案 0 :(得分:1)

像其他用户说的那样,你很容易受到SQL注入攻击。始终确认用户输入!

关于您的问题,您可以使用数据库,然后有人可以轻松阻止其他用户的帐户。您也可以使用会话变量。您只需要在会话中记录失败登录的次数。在3次失败后,您可以设置一个会话变量,其时间戳为允许用户再次登录的时间戳(当前时间戳+ X),并且在运行SQL检查之前是否通过时间。 如果用户登录成功,则应清除或重置这些会话变量。 (抱歉,我没有时间制作你的例子,但它很容易实现。)

用鼠标垫制作,未经过任何方式测试,但它会给你一些我希望的提示。

<?php
session_start();
define('MAX_LOGIN_ATTEMPTS',3);

if(isset($_SESSION['loginTimeout']) && $_SESSION['loginTimeout']<time()) {
    echo "You used all login attempts. Try again in a little while.";
    exit() // ups, forgot about this :)
}

if(isset($_POST['username']) && isset($_POST['password'])){
    $connect = mysql_connect('localhost', 'root', 'root');

    mysql_selectdb('lr') or die('Couldnt find database');

    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);

    $query = mysql_query("SELECT * FROM users WHERE username = '$username'");
    $numrows = mysql_num_rows($query);
    $bFail = false;

    if($numrows !=0){

       while ($row = mysql_fetch_assoc($query)){

            $dbuser = $row['username'];
            $dbpass = $row['password'];

       }

       if ($username == $dbuser && $password == $dbpass){
    unset($_SESSION['loginTimeout']);
            $_SESSION['username'] = $dbuser;
            if($_SESSION['username']){
                echo 'Welcome ' . $_SESSION['username'] . ' ! <br>';
                echo 'Click <a href = "index.php"> here </a> to log out !';
                    }
       } else {
          echo 'Incorrect Username or Password Combinations ';
          $bFail = true;
       }

    } else {
        die('That user does not exist');
        $bFail = true; 
    }

    if($bFail) {
        if(isset($_SESSION['loginAttempts'])) $_SESSION['loginAttempts']++;
        else $_SESSION['loginAttempts'] = 1;

        if($_SESSION['loginAttempts']>MAX_LOGIN_ATTEMPTS) {
           // one hour timeout
           $_SESSION['loginTimeout'] = time() + 1*60*60;
        }
    }
}




?>
相关问题
最新问题