Hey guys, I'm pretty new to PHP and am trying to use my MYSQL database to restrict failed login attempts on my login form. It is meant to allow 3 tries , then lock the person out for 30 mins. I am taking the database approach because others such as cookies and sessions can be easily tampered with and deleted. Currently i have it working to the point where it adds a record in my database with the IP and last login time, but the loginAttempts is set at 3 straight away. $Login=$_POST['Login']; if($Login){ // If clicked on Login button. $ip=$_SERVER['REMOTE_ADDR']; $time = date("d/m/y : H:i:s", time()); $attempts=mysql_query("select Attempts from LoginAttempts where ip='$ip'LIMIT 1"); $attempts = $attempts + 1; mysql_query("INSERT INTO LoginAttempts (IP, Attempts, LastLogin) VALUES ('$ip', '$attempts', '$time')"); $LastLogin=mysql_query("select LastLogin from LoginAttempts where ip='$ip'LIMIT 1"); if(($time - 1800) < $LastLogin && $attempts > 3) { mysql_close(); session_destroy(); $error = "You must wait 30 mins before you try logging in again!"; } PHP: Script Continues but isn't relavant If anyone could help me fix this i would very much appreciate the help. If you need any more information just let me know! Thanks
It's the way your going about your querys, just place into the database one new record every failed attempt. When your logging in the user then check if they have gone over the amount of times you want the max to be. Do that with mysql_num_rows() and if they have entered the correct information and have not surpassed the amount delete all the of the fails and log them in.
Thanks for the reply mate. If i am allowing a record to just be entered every time someone attempts to log in and fails, they can just spam the hell out of my form. I need it so that the attempted login is recorded and the form can only be submitted if the attempted logins has not been exceeded. Any help will be greatly appreciated guys