How to block the user after 3 login attempts and store it to database? I already add two columns in user table, one for number of login attempts and second, for datetime of last login. Please help me, how to do this. I'm not good in PHP.
Thanks
Here's my login.php
session_start();
$ipaddress = '';
if (getenv('HTTP_CLIENT_IP'))
$ipaddress = getenv('HTTP_CLIENT_IP');
else if(getenv('HTTP_X_FORWARDED_FOR'))
$ipaddress = getenv('HTTP_X_FORWARDED_FOR');
else if(getenv('HTTP_X_FORWARDED'))
$ipaddress = getenv('HTTP_X_FORWARDED');
else if(getenv('HTTP_FORWARDED_FOR'))
$ipaddress = getenv('HTTP_FORWARDED_FOR');
else if(getenv('HTTP_FORWARDED'))
$ipaddress = getenv('HTTP_FORWARDED');
else if(getenv('REMOTE_ADDR'))
$ipaddress = getenv('REMOTE_ADDR');
else
$ipaddress = 'UNKNOWN';
$loginDate = date("Y-m-d H:i:s");
$Error ="";
$successMessage ="";
if (isset($_POST['submit'])){
if ( !( $_POST['cnumber'] == "" && $_POST['password'] == "")){
$cnumber=$_POST['cnumber'];
$password= sha1($_POST['password']);
$cnumber = filter_var($cnumber, FILTER_SANITIZE_NUMBER_INT);
if (filter_var($cnumber, FILTER_VALIDATE_INT)){
$con=mysqli_connect("localhost","root","","users");
$result = mysqli_query($con, "SELECT * FROM users WHERE contractNumber='$cnumber' AND password='$password'");
$data = mysqli_num_rows($result);
if($data==1){
$_SESSION['login_user']=$cnumber;
mysqli_query($con, "INSERT INTO `users`.`logs`(`contractNumber`, `lastLogin`, `ipAddress`) VALUES ('$cnumber', '$loginDate', '$ipaddress')");
header('Location: profile.php');
} else {
$Error ="Invalid Contract Number or Password.";
mysqli_query($con, "UPDATE users SET loginAttempt = loginAttempt + 1 WHERE contractNumber = '$cnumber' ");
print_r(mysqli_affected_rows($con));
}
mysqli_close($con);
} else {
$Error ="Invalid Contract Number.";
}
} else {
$Error ="Contract Number or Password is Empty.";
}
}
Don't use cookies as the hacker can still disable cookies and continue brute force attacks. Use your database instead. For every failed attempt, log it into the table, together with a time stamp. Then on each request, do a query with the user ID and time stamp, then get the count. That should give you the number of times tried.