Click here to Skip to main content
15,173,033 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
What's wrong in my code? It seems like it's not counting even if I try many attempts because I want to redirect the user to account registration page after 3 error attempts.

<?php
    $atmp = 0;
if (isset($_POST['login'])){
    $user = $_POST['username'];
    $pword = $_POST['password'];
    include ("connection.php");
    $atmp = $_POST['hidden'];
    if($atmp<3){
    $query  = "SELECT fld_username, fld_password FROM tbl_account WHERE fld_username = '$user' AND fld_password = '$pword'";
    $result = mysqli_query ($conn, $query);
    if($query){
        if (mysqli_num_rows($result)){
            while (mysqli_fetch_array($result)) {
                echo "<script> alert('You are logged in Successfully!'); window.location = 'profile.php'; </script>";
            }
        }
        else{
            $atmp++;
            echo '<script> alert("You have invalid username/password and the number of attempt is '. $atmp .'");window.location = "index.php";</script>';
        }
    }    
}
if ($atmp==3) {
    echo '<script> alert("You have invalid username/password!");window.location = "accountregistration.php";</script>';
  }
 }
?>


This is the code for HTML

<!DOCTYPE html>
<html>
<head>
<title>LOGIN</title>
</head>
<body>
<form action="" method="POST">
    <?php
echo "<input type = 'hidden' name = 'hidden' value =  '".$atmp."'>";
    ?>
    <fieldset>
        <legend>Login</legend>
        <label>Username:</label><input type="Text" name="username" id="username"><br><br>
        <label>Password:</label><input type="password" name="password" id="password"><br><br>
                       <input name="login" type="submit" value="Login">   <input name="clear" type="reset" value="Clear">
    </fieldset>
</form>
</body>
</html>


What I have tried:

If I change the $atmp = 0; to $atmp = 3;, it redirects me to the registration page. My problem is that it is not counting the attempts.
Posted
Updated 4-Nov-21 19:50pm
Comments
Richard Deeming 5-Nov-21 5:48am
   
In addition to the SQL Injection[^] vulnerabilities in your code, you are storing passwords in plain text. Don't do that!
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

PHP even provides built-in functions to help you do the right thing:
PHP: password_hash[^]
PHP: password_verify[^]

You cannot count attempts like that. It would only work if there was only ever one user of the system, but websites rarely ever have a single user.

You would normally track the number of attempts in the database, along with the datetime of the "first" attempt. Why the datetime? Well, you don't really want the limit of attempts to last forever, do you? Attempts have to expire at some point, or you're going to generate calls to the help desk to have the account unlocked.

When a login attempt is made, you look up the username and get the number of attempts and the datetime. Check the datetime against your number of days (or hours, or minutes) you want the attempts to expire. If that difference is greater than your expire time, you can let the "attempt" go through. If not, then you just ignore the attempt to login and update the datetime with the current datetime.

If you do end up checking the login, and the password does not match, you increase the "number of attempts" value and set the datetime to the current datetime.

If the username/password matches, you reset the number of attempts to 0 and reset the datetime value for that user.
   
You have a much bigger problem: your code is left open to SQL injection attacks.
Never ever build SQL queries by concatenating with user-input strings.
Better use parameterized queries instead.
Parameterized queries in PHP with MySQL connection[^]

For your issue, I don't see where you persist $atmp variable between page calls. Your php script is executed at every page load, so a local variable will not retain its previous value and will be initialized the same way everytime.

I'm not a PHP specialist, but one thing I can see is that you load $atmp value from hidden field in request, but you never set this field back when the value changes. At each page load, your script gets the same value.
Variable persistence in PHP[^]
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900