Php 如何设置用户在多次尝试失败后可以锁定多长时间?
我想在多次尝试登录失败10分钟后锁定特定用户。目标是将用户pNumber作为锁定标准,而不是IP地址,因为IP地址由多个用户使用 当我执行基于ip的选择时,代码能够检查用户是否输入了错误的PNNumber和密码,以及这是否正确。它打印错误,指示第一次尝试是错误的,同时将失败的尝试存储在db_表中。因此,当总失败尝试数>=3时,它将锁定 这不是我想要的,因为我希望它锁定一段特定的时间,它应该根据用户的pNumber而不是IP地址来锁定。IP地址由许多用户共享Php 如何设置用户在多次尝试失败后可以锁定多长时间?,php,mysql,database,loops,session,Php,Mysql,Database,Loops,Session,我想在多次尝试登录失败10分钟后锁定特定用户。目标是将用户pNumber作为锁定标准,而不是IP地址,因为IP地址由多个用户使用 当我执行基于ip的选择时,代码能够检查用户是否输入了错误的PNNumber和密码,以及这是否正确。它打印错误,指示第一次尝试是错误的,同时将失败的尝试存储在db_表中。因此,当总失败尝试数>=3时,它将锁定 这不是我想要的,因为我希望它锁定一段特定的时间,它应该根据用户的pNumber而不是IP地址来锁定。IP地址由许多用户共享 session_start(); in
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
//check login attempts
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$when = date('m/d/Y h:i:s', time());
$aptSql = mysql_query("SELECT COUNT(ip) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
$row_count = mysql_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$aptSql = mysql_free_result();
?>
<script>alert('<?php echo $failed_attempt;?>');</script>
<?php
if($failed_attempt >= 3)
{
$time = new Datetime();
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
else
{
//Users login details
$pNumber = mysql_real_escape_string($_POST['pNumber']);
$upass = mysql_real_escape_string($_POST['pass']);
//check the details entered by user
$res=mysql_query("SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysql_fetch_array($res);
if($row['password']==md5($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysql_query("INSERT INTO `employees`.`attempts` (`id`, `ip`, `when`, `pNumber`) VALUES ('$attempt_id', '$userIP', '$when', '$pNumber')");
//result
if($insertSql != false)
{
?>
<script>alert('You entered an invalid username or password, your attempt has been stored.');</script>
<?php
}
else
{
?>
<script>alert('Error Inserting your details. Please, see your department manager');</script>
<?php
}
}
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="Lee & Micheal" content="">
<link rel="icon" href="../favicon.ico">
<title>Employee Time Stamp System</title>
<!-- Bootstrap core CSS -->
<link href="../dist/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="signin.css" rel="stylesheet">
<!-- debug and js -->
<script src="../assets/js/ie-emulation-modes-warning.js"></script>
</head>
<body>
<div class="container">
<tr>
<td><center><h1>EMPLOYEE LOGIN</h1></center><br></td>
</tr>
<form method="post" class="form-signin" ><br>
<h2 class="form-signin-heading">LOGIN</h2>
<label for="inputEmail" class="sr-only">Personal ID</label>
<input type="text" name="pNumber" id="inputEmail" class="form-control" placeholder="Personal ID" required autofocus>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" name="pass" id="inputPassword" class="form-control" placeholder="Password" required>
<div class="checkbox">
<label>
<input type="checkbox" value="remember-me"> Remember me
</label>
</div>
<button class="btn btn-lg btn-primary btn-block" type="submit" name="btn-login">Login in</button>
</form>
</div> <!-- /container -->
<!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script src="../../assets/js/ie10-viewport-bug-workaround.js"></script>
</body>
</html>
致:
这就是代码现在的样子
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
//check login attempts
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$when = date('m/d/Y h:i:s', time());
$aptSql = mysqli_query($con, "SELECT COUNT(ip) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
row_count = mysqli_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$aptSql = mysqli_free_result();
?>
<script>alert('<?php echo $failed_attempt;?>');</script>
<?php
if($failed_attempt >= 3)
{
$time = new Datetime();
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
else
{
//Users login details
$pNumber = mysqli_real_escape_string($_POST['pNumber']);
$upass = mysqli_real_escape_string($_POST['pass']);
//check the details entered by user
$res=mysqli_query($con, "SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysqli_fetch_array($res);
if($row['password']==phpass($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysqli_query($con, "INSERT INTO `employees`.`attempts` (`id`, `ip`, `when`, `pNumber`) VALUES ('$attempt_id', '$userIP', '$when', '$pNumber')");
//result
if($insertSql != false)
{
?>
<script>alert('You entered an invalid username or password, your attempt has been stored.');</script>
<?php
}
else
{
?>
<script>alert('Error Inserting your details. Please, see your department manager');</script>
<?php
}
}
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="Lee & Micheal" content="">
<link rel="icon" href="../favicon.ico">
<title>Employee Time Stamp System</title>
<!-- Bootstrap core CSS -->
<link href="../dist/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="signin.css" rel="stylesheet">
<!-- debug and js -->
<script src="../assets/js/ie-emulation-modes-warning.js"></script>
</head>
<body>
<div class="container">
<tr>
<td><center><h1>EMPLOYEE LOGIN</h1></center><br></td>
</tr>
<form method="post" class="form-signin" ><br>
<h2 class="form-signin-heading">LOGIN</h2>
<label for="inputEmail" class="sr-only">Personal ID</label>
<input type="text" name="pNumber" id="inputEmail" class="form-control" placeholder="Personal ID" required autofocus>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" name="pass" id="inputPassword" class="form-control" placeholder="Password" required>
<div class="checkbox">
<label>
<input type="checkbox" value="remember-me"> Remember me
</label>
</div>
<button class="btn btn-lg btn-primary btn-block" type="submit" name="btn-login">Login in</button>
</form>
</div> <!-- /container -->
<!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script src="../../assets/js/ie10-viewport-bug-workaround.js"></script>
</body>
</html>
session_start();
包括_once'dbconnect.php';
如果(isset($_会话['user'])!=“”)
{
标题(“Location:home.php”);
}
如果(isset($_POST['btn-login']))
{
//检查登录尝试
$userIP=$\u服务器['REMOTE\u ADDR'];
$trunt\u id=NULL;
$when=日期('m/d/Y h:i:s',time());
$aptSql=mysqli_查询($con,“从pNumber='$pNumber'的尝试中选择计数(ip)作为失败的_日志);
行计数=mysqli\u获取\u assoc($aptSql);
$failed_尝试=$row_计数['failed_log'];
$aptSql=mysqli_free_result();
?>
警报(“”);
警报('抱歉,您已超过允许的尝试次数。请与您的部门经理联系');
警报(“”);
警报('抱歉,您已超过允许的尝试次数。请与您的部门经理联系');
警报(“”);
警报('现在的时间是:')
警报('转换的时间:')
警报('抱歉,您已超过允许的尝试次数。请与您的部门经理联系');
首先,请使用mysqli
或PDO
,因为mysql
已折旧,将在PHP7中删除。在我建议的代码中,它使用mysqli
,需要连接变量,在这种情况下定义为$con。
如果尚未连接,则连接的定义如下:
$con = mysqli_connect("my_ip", "my_user", "my_password", "my_db");
从您的$aptSql
查询中我可以看出,它有计数(ip)
。我不知道这里到底发生了什么,但我建议使用以下方法之一
$aptSql = mysqli_query($con, "SELECT COUNT(*) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
$row_count = mysqli_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$aptSql = mysqli_free_result();
或:
此选项中的第二行也可能是:(我是从内存中执行此操作的,当前没有测试环境)
要锁定特定时间,请将帐户锁定到用户数据库的时间添加到lastlocked
下面,并将其与登录时的当前时间进行比较,以检查是否已过10分钟。好的,我有两个建议
首先:在用户被锁定并记录时间后,为了防止用户因此行而被锁定:如果($failed\u trunt>=3)
重置该用户的失败尝试计数
检查用户是否被阻止时,请根据时间而不是失败的尝试次数进行检查。使用失败的尝试来启动锁定。这样,在锁定过期后,用户将不会被锁定在失败的尝试中
其次:当检查用户是否被锁定(通过比较时间)时,您可以通过以下方式将记录的时间与当前时间进行比较:
if (time() - $recordedtime) < 1800) { /* 1800 seconds is 30 minutes */
/* user is locked out */
}
if(time()-$recordedtime)<1800{/*1800秒是30分钟*/
/*用户已被锁定*/
}
这将检查自记录时间起是否已过1800秒(30分钟)
注意:由于这不检查日期,如果用户在第二天尝试登录,可能会出现复杂情况。因此,我建议您删除锁过期后存储的记录时间。您可以使用mysqli
,因为mysql
被折旧,然后使用mysqli\u num\u行
您正在散列密码(这是好的)但是你使用的是MD5(这是坏的),并且你没有给每个用户加盐(这是坏的)。PHP附带了一个hash_password()
函数,可以很容易地为你做所有这些事情。是“pNumber”本质上是用户名?如果是这样,请记住,用户可能会被想要锁定用户帐户的恶意方锁定-他们的工作是发现密码,然后反复获得错误的密码。受影响的用户将无法登录。这是一个学校项目,我落后于计划。我知道如何解决问题吗?
$row_count = mysqli_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$lastlocked = date('m/d/Y h:i:s', time());
$query = mysqli_query ($con, "SELECT id, pNumber, UNIX_TIMESTAMP(lastlocked) as lockDatetimestamp ROM manage_users HERE (id = $attempt_id) and (lastlocked IS NOT NULL) and
(lastlocked <= DATE_SUB(now(), INTERVAL 10 MINUTE))");
$new_row = mysqli_fetch_array($query);
$lockedtime = $mysqli_fetch_array['lockDatetimestamp'];
$query=mysqli_free_result();
$aptSql = mysqli_free_result();
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
//prevents SQL injecions
$pNumber = mysql_real_escape_string($_POST['pNumber']);
$upass = mysql_real_escape_string($_POST['pass']);
//used for failed attempts
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$aptSql = mysql_query("SELECT COUNT(pNumber) AS failed_log FROM attempts WHERE ip='$userIP'");
$row_count = mysql_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$lastlocked = mysql_query("SELECT MAX(lastlocked) FROM attempts WHERE pNumber='$pNumber'");
$yeah = mysql_fetch_array($lastlocked);
if($failed_attempt >= 3)
{
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
elseif(strtotime($lastlocked) < time())
{
?>
<script>alert('<?php echo $lastlocked['lastlocked'];?>');</script>
<?php
}
else
{
$res=mysql_query("SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysql_fetch_array($res);
if($row['password']==md5($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysql_query("INSERT INTO `employees`.`attempts` (`id`, `ip`, `pNumber`) VALUES ('$attempt_id', '$userIP', '$pNumber')");
//result
if($insertSql != false)
{
?>
<script>
alert('You entered an invalid username or password, your attempt has been stored.');
</script>
<?php
}
else
{
?>
<script>
alert('Error Inserting your details. Please, see your department manager');
</script>
<?php
}
}
}
}
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
//prevents SQL injecions
$pNumber = mysql_real_escape_string($_POST['pNumber']);
$upass = mysql_real_escape_string($_POST['pass']);
//used for failed attempts
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$aptSql = mysql_query("SELECT COUNT(pNumber) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
$row_count = mysql_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$locked_time = mysql_query("SELECT LAST_INSERT_ID(), DATE_ADD(lastlocked, INTERVAL 2 MINUTE) AS cheknow FROM `attempts` ORDER BY id DESC LIMIT 1");
$show_row_res = mysql_fetch_array($locked_time);
$convert_time= strtotime($show_row_res['cheknow']);
$current_time = time();
?>
<script>alert('The time now is : <?php echo $current_time; ?>') </script>
<script>alert('The converted time : <?php echo $convert_time['cheknow']; ?>') </script>
<?php
//check attempts and lock out user not ip address
if($failed_attempt >= 3 and $convert_time > $current_time)
{
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
else
{
$res=mysql_query("SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysql_fetch_array($res);
if($row['password']==md5($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysql_query("INSERT INTO `employees`.`attempts` (`id`, `ip`, `pNumber`) VALUES ('$attempt_id', '$userIP', '$pNumber')");
//result
if($insertSql != false)
{
?>
<script>
alert('You entered an invalid username or password, your attempt has been stored.');
</script>
<?php
}
else
{
?>
<script>
alert('Error Inserting your details. Please, see your department manager');
</script>
<?php
}
}
}
}
$con = mysqli_connect("my_ip", "my_user", "my_password", "my_db");
$aptSql = mysqli_query($con, "SELECT COUNT(*) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
$row_count = mysqli_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$aptSql = mysqli_free_result();
$aptSql = mysqli_query($con, "SELECT * FROM attempts WHERE pNumber='$pNumber'");
$failed_attempt = mysqli_num_rows($aptSql);
$aptSql = mysqli_free_result();
$failed_attempt = mysqli_num_rows(mysqli_fetch_assoc($aptSql));
if (time() - $recordedtime) < 1800) { /* 1800 seconds is 30 minutes */
/* user is locked out */
}