0

我需要帮助来限制用户的登录尝试。这是我的代码。

$login = login($username, $password);
        if($login === false) {
            if(isset($_COOKIE['login'])){
                      if($_COOKIE['login'] < 3){
                           $attempts = $_COOKIE['login'] + 1;
                           setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
                           $errors[] = 'That username/password combination is incorrect!';
                      } else{
                           echo 'You are banned for 10 minutes. Try again later';
                      }
            } else {
                   setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
             }

        } else {        
            $_SESSION['user_id'] = $login;
            header('Location: ../../home.php');
            exit();
        }

它看起来很适合我,但它就是行不通。即使在尝试 3 次登录后,用户仍然可以访问他/她的帐户。

4

3 回答 3

3

使用 SQL 数据库,我目前正在处理一段代码,给我大约一个小时,我会为你举一个例子

PHP:

<?php
$host = "";//Host name
$username = "";//MYSQL username
$password = "";//MYSQL password
$db_name = "";//Database name
$tbl_name = "";//Name of login table
$bl_name2 = "";//Name of table to store IP if attempt is incorrect

//connect to server and select database
try{
$conn = new PDO('mysql:host='.$host.';dbname='.$db_name.'',$username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);}
catch(PDOException $e){
echo 'ERROR: ' . $e->getMessage();}

//get users ip next, as this is for a log in, this example will show for username and pass also
$userIP = $_SERVER['REMOTE_ADDR'];
$userPassword = $_POST['passwordfromform'];
$userUsername = $_POST['usernamefromform']

if(empty($userUsername) && empty($userPassword)){
die("You must enter a username and password");
}

//check for log in excess
$checkSql="
SELECT * FROM ".$tbl_name2."
WHERE PostersIP = '".$userIP."'
";
$stmt = $db->query($checkSql);
$row_count = $stmt->rowCount();
if($rowcount >= 7){//change this number to reflect the nuber of login chances
die("You have tried to log in too many times");
}

//check to log in
$insertSql = "
SELECT * FROM ".$tbl_name."
WHERE USERNAME = '".$userUsername."'
AND PASSWORD = '".$userPassword."'";

//execute check query
$result = $conn->query($insertSql);
if($result != false){
echo "Username and Password were correct!";//link to correct page
}
else{
$incorrectSql="
INSERT INTO ".$tbl_name2."
(PostersIP) VALUES 
('".$userIP."')";
    $result2 = $conn->query($incorrectSql);
     if($result2 != false){
          die("You entered an invalid username or password, your attempt has been stored.");
        }
die("Error inserting data");
}
?>

我没有现场测试,所以可能会有一些缺陷,但是我对你的评价很好。您确实需要第二张表来存储用户提交的 ips。这是一种非常混乱的方法。我很确定有更好的方法来做到这一点,但我的 10 分钟解决方案有 :)

于 2013-01-28T01:49:19.457 回答
1

使用数据库,我建议使用 IP 地址。看看这个获取用户 ip 地址 php 的权威方法

捕获用户名、密码和时间戳,将这些记录到表中,无论是失败还是成功。设置您想要禁止它们的参数。

为您的登录脚本添加一个检查以检查 IP 地址,并且仅在该 IP 地址未用于 3 次失败尝试时才允许他们输入详细信息。

显然,您可能需要一个新表来记录被禁止的 IP 地址以及允许他们重新输入详细信息的时间。

于 2013-01-28T01:44:52.163 回答
0

我只想制作另一个包含 cols 的表:用户名、时间戳、尝试。这将在时间戳的 10 分钟内检查用户名的尝试(在第一次尝试时设置)。

If ( attempts > max attempts then attempt login )
   { "Sorry to many attempts"
   else { Check login 
       if failed { Attempts++ } else (login success) { set attempts = 0 } 
(reset attempts counter)}
 }
于 2017-12-11T17:44:24.483 回答