3 login attempts not counting in PHP

Question

1.00/5 (1 vote)

See more:

What's wrong in my code? It seems like it's not counting even if I try many attempts because I want to redirect the user to account registration page after 3 error attempts.

<?php
    $atmp = 0;
if (isset($_POST['login'])){
    $user = $_POST['username'];
    $pword = $_POST['password'];
    include ("connection.php");
    $atmp = $_POST['hidden'];
    if($atmp<3){
    $query  = "SELECT fld_username, fld_password FROM tbl_account WHERE fld_username = '$user' AND fld_password = '$pword'";
    $result = mysqli_query ($conn, $query);
    if($query){
        if (mysqli_num_rows($result)){
            while (mysqli_fetch_array($result)) {
                echo "<script> alert('You are logged in Successfully!'); window.location = 'profile.php'; </script>";
            }
        }
        else{
            $atmp++;
            echo '<script> alert("You have invalid username/password and the number of attempt is '. $atmp .'");window.location = "index.php";</script>';
        }
    }    
}
if ($atmp==3) {
    echo '<script> alert("You have invalid username/password!");window.location = "accountregistration.php";</script>';
  }
 }
?>

This is the code for HTML

<!DOCTYPE html>
<html>
<head>
<title>LOGIN</title>
</head>
<body>
<form action="" method="POST">
    <?php
echo "<input type = 'hidden' name = 'hidden' value =  '".$atmp."'>";
    ?>
    <fieldset>
        <legend>Login</legend>
        <label>Username:</label><input type="Text" name="username" id="username"><br><br>
        <label>Password:</label><input type="password" name="password" id="password"><br><br>
                       <input name="login" type="submit" value="Login">   <input name="clear" type="reset" value="Clear">
    </fieldset>
</form>
</body>
</html>

What I have tried:

If I change the $atmp = 0; to $atmp = 3;, it redirects me to the registration page. My problem is that it is not counting the attempts.

Posted 4-Nov-21 18:20pm

Christian Tejano

Updated 4-Nov-21 18:50pm

Add a Solution

Comments

Richard Deeming 5-Nov-21 5:48am

In addition to the SQL Injection[^] vulnerabilities in your code, you are storing passwords in plain text. Don't do that!
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

PHP even provides built-in functions to help you do the right thing:
PHP: password_hash[^]
PHP: password_verify[^]

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Answer 1 · 2021-11-04T18:43:00

You cannot count attempts like that. It would only work if there was only ever one user of the system, but websites rarely ever have a single user.

You would normally track the number of attempts in the database, along with the datetime of the "first" attempt. Why the datetime? Well, you don't really want the limit of attempts to last forever, do you? Attempts have to expire at some point, or you're going to generate calls to the help desk to have the account unlocked.

When a login attempt is made, you look up the username and get the number of attempts and the datetime. Check the datetime against your number of days (or hours, or minutes) you want the attempts to expire. If that difference is greater than your expire time, you can let the "attempt" go through. If not, then you just ignore the attempt to login and update the datetime with the current datetime.

If you do end up checking the login, and the password does not match, you increase the "number of attempts" value and set the datetime to the current datetime.

If the username/password matches, you reset the number of attempts to 0 and reset the datetime value for that user.

phil.o · Answer 2 · 2021-11-04T18:50:00

You have a much bigger problem: your code is left open to SQL injection attacks.
Never ever build SQL queries by concatenating with user-input strings.
Better use parameterized queries instead.
Parameterized queries in PHP with MySQL connection[^]

For your issue, I don't see where you persist $atmp variable between page calls. Your php script is executed at every page load, so a local variable will not retain its previous value and will be initialized the same way everytime.

I'm not a PHP specialist, but one thing I can see is that you load $atmp value from hidden field in request, but you never set this field back when the value changes. At each page load, your script gets the same value.
Variable persistence in PHP[^]

3 login attempts not counting in PHP

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0