[ad_1]
I have the following login.php file with the following content:
<?php
require 'db.php';
require '../functions/log_attempts.php';
session_start();
// Jeżeli sesja istnieje, przekierowuje do index.php
if(isset($_SESSION['IS_LOGIN'])) {
header('Location: index.php');
}
if(isset($_POST['submit'])) {
// Limit prób logowania
$bantime = time()-30;
$ip_address = getIpAddr();
// Sprawdzenie ilości prób logowania
$check_attempts = mysqli_query($connect, "SELECT count(*) as total_count FROM login_attempts WHERE log_times > $bantime and ip='$ip_address'");
$check_login_row = mysqli_fetch_assoc( $check_attempts);
$total_count = $check_login_row['total_count'];
if($total_count==3) {
echo '<div class="alert-box error">Osiągnięto limit prób logowania. Spróbuj ponownie po 30 sekundach.</div>';
}
else {
$login = mysqli_real_escape_string($connect, $_POST['login']);
$password = mysqli_real_escape_string($connect, $_POST['password']);
$sql = "SELECT * FROM accounts WHERE login = '".$login."'";
$result = mysqli_query($connect, $sql);
$numRows = mysqli_num_rows($result);
if($numRows == 1) {
$row = mysqli_fetch_assoc($result);
if(password_verify($password, $row['password'])) {
session_start();
$_SESSION['IS_LOGIN'] = true;
mysqli_query($connect, "DELETE FROM login_attempts WHERE ip='$ip_address'");
$_SESSION['login'] = $row['login'];
$_SESSION['password'] = $row['password'];
header('Location: index.php');
exit();
}
else {
$total_count++;
$rem_attempts = 3-$total_count;
if ($rem_attempts==0) {
echo '<div class="alert-box error">
Osiągnięto limit prób logowania. Spróbuj ponownie po 30 sekundach.</div>';
} else {
echo '<div class="alert-box error">
Nieprawidłowe dane logowania.<br>Pozostało prób: '.$rem_attempts.'</div>';
}
$try_time=time();
mysqli_query($connect, "INSERT INTO login_attempts(id, ip, log_times) VALUES ('','".$ip_address."','".$try_time."')");
}
}
else {
echo '<div class="alert-box error">
Nieprawidłowe dane logowania.</div>';
}
}
}
$connect->close();
?>
log_attempts.php:
<?php
require 'db.php';
function getIpAddr() {
if (!empty($_SERVER['HTTP_CLIENT_IP'])){
$ipAddr=$_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ipAddr=$_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ipAddr=$_SERVER['REMOTE_ADDR'];
}
return $ipAddr;
}
?>
and database:
CREATE TABLE `login_attempts` (
`id` INT(11) NOT NULL,
`ip` VARBINARY(16) NOT NULL,
`log_times` BIGINT(20) NOT NULL
)
COLLATE='utf8_general_ci'
ENGINE=InnoDB
;
and after entering the wrong password to the existing login, it keeps writing that there are 2 attempts left, and no record to the login_attempts database is registered, what went wrong? I took the counter code from this source: http://phpgurukul.com/how-to-limit-login-attempt-using-php-and-mysql/
[ad_2]