Block a user from login after several login attempts

Question

I am developing an application in PHP. It has a sign in section. I want to know how can i block a user for (lets say) 15 mints from logging into the account if the user enters 4 times wrong passwords. How can i block logging in from that specific IP using PHP MySql

Can anyone have the script or refer me to any tutorials. Thanks

Your going to want to get the users ip address using `$_SERVER['REMOTE_ADDR'];`, and then you want to put that and the current timestamp into a database. Then when somebody logs in, you would check if the ip address of the user is in the database, and say something like `WHERE $timeNow < "$timeThen"` — Adam Joseph Looze, Mar 08 '15 at 16:54

Adam Joseph Looze · Answer 1 · 2015-03-08T17:45:01.180

4

If the login is failed x number of times, you would set $loginFail to 1 for example.

Then enter this info into a new database.

EDIT: using pdo

    if($loginFail == 1){

    $ip = $_SERVER['REMOTE_ADDR']; 

    $date = new DateTime();
    $fdate = $date->format('Y-m-d H:i:s');

    $sql = "INSERT INTO loginTracker (ipaddress,time) VALUES (:ipaddress,:time)";
    $q = $pdo->prepare($sql);
    $q->execute(array(':time'=>$fdate,
                      ':ipaddress'=>$ip));

    }else{
        $loginFail = 0;
    }

Then when a user tries to log in, you would compare the timestamp and ipaddress of the above database, with the users ip address and current timestamp

edited Mar 08 '15 at 17:45

answered Mar 08 '15 at 16:57

Adam Joseph Looze

991
8
16

There is **no more support** for `mysql_*` functions, they are [**officially deprecated**](https://wiki.php.net/rfc/mysql_deprecation), **no longer maintained** and will be [**removed**](http://php.net/manual/en/function.mysql-connect.php#warning) in the future. You should update your code with [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) to ensure the functionality of your project in the future. – DarkBee Mar 08 '15 at 17:22
1

fine with me, i use pdo 99% of the time. i used mysql in this example because i notice most php newcomers use mysql – Adam Joseph Looze Mar 08 '15 at 17:45
1

:-) better to not post outdated code but u fixed that I see. – DarkBee Mar 08 '15 at 18:54

score 0 · Answer 2 · edited May 23 '17 at 11:56

0

Just log every attempt into mysql table with fields IP and datetime. Then you will be able to select time of last attempt and count them after every login attempt.

Read this thread: How can I throttle user login attempts in PHP

edited May 23 '17 at 11:56

Community

1
1

answered Mar 08 '15 at 16:54

n-dru

9,285
2
29
42

score 0 · Answer 3 · answered Mar 08 '15 at 17:02

0

You may use visitors IP address to store log attempts in the database and block access to login feature for X minutes after Y unsuccessful attempt.

For full details you may refer to: http://webcheatsheet.com/php/blocking_system_access.php

answered Mar 08 '15 at 17:02

Suraj Thakur

1
2

Block a user from login after several login attempts

3 Answers3