to disabled admin if he enters wrong password

samcentury

i am working on online payment site. i have to do following things

1) if the admin enters wrong password for the 3 times then he can not login. for that i have disabled the login button if he enters wrong password for 3 times.

2)he should be disabled for the next 15 days.

i m having problem with 2nd point how should i disabled admin for 15 days. i create table in the database thast store login info about admin i.e. ip address, date/time, no of counts for the login.
PLz help me. i m trying this from last 2 days. Below is the coding

<?
session_start();
//$sessID = session_id();
//$SESSION['password']=$data['AdminPassword'];
//$SESSION['count'];
//echo "count=".$_SESSION['count'];

$data['PageName']='SYSTEM ADMINISTRATOR LOGIN';

$data['PageFile']='login';

$data['HideMenu']=true;

###############################################################################

include('../config.htm');

###############################################################################

if($post['send']){

/*if($_SESSION['count'] == 3){

// echo "count=".$_SESSION['count'];
$data['Error']='You can not enter password.';
}*/

if($data['AdminCheckIp']&&($data['Addr']!=$data['AdminIpAddress'])){

	$data['Error']='You do not have any rights to use this admin area.';

}elseif(!$post['username']){

	$data['Error']='Your username can not be empty.';

}elseif(!$post['password']){

	$data['Error']='Your password can not be empty.';

}elseif(

	$post['username']!=$data['AdminUsername']

	||

	$post['password']!=$data['AdminPassword'] 

){

	$data['Error']='Wrong administrator username or password.';


}elseif($data['UseTuringNumber']&&

	(!$post['turing']||strtoupper($post['turing'])!=$_SESSION['turing'])

){

	$data['Error']='Please enter valid turing number.';

}else{

	if($data['UseTuringNumber'])unset($_SESSION['turing']);

	$_SESSION['adm_login']=true;

	header("Location:{$data['Admins']}/index.htm");

	echo('ACCESS DENIED.');

	exit;

}

}

###############################################################################

if($data['UseTuringNumber'])$_SESSION['turing']=gencode();

###############################################################################

display('admins');

###############################################################################

template.login.htm

<?if(isset($data['ScriptLoaded'])){

session_start();
$_SESSION['count'];

	/*if(!isset ($_SESSION['count']))
			$_SESSION['count'] = 1;

	else*/
			echo $_SESSION['count']++;

			echo $_SESSION['count'];

?><center><form method=post><table class=frame width=300 border=0 cellspacing=1 cellpadding=4><tr><td class=capl colspan=2>SYSTEM ADMINISTRATOR LOGIN</td></tr><?if($data['Error']){?><tr><td colspan=2 class=error><?=$data['Error']?></td></tr><?}?><tr bgcolor=#EEEEEE><td class=field align=right valign=top nowrap>Username:</td><td width=200><input type=text name=username size=30 maxlength=128 value="<?=$post['username']?>"></td></tr><tr bgcolor=#EEEEEE><td class=field align=right valign=top nowrap>Password:</td><td><input type=password name=password size=30 maxlength=128 value="<?=$post['password']?>"></td></tr><?if($data['UseTuringNumber']){?><tr><td class=field align=right valign=top nowrap>Turing Number:</td><td class=justify bgcolor=#EEEEEE valign=top><img class=turing src="<?=$data['Host']?>/turing.htm" width=78 height=15 border=1 align=absmiddle> <input type=text name=turing size=16 maxlength=32></td></tr><?}?><tr><td colspan=2 align=center bgcolor=#CCCCCC><input type=submit <? if($_SESSION['count']>3){?> disabled <?}?> class=submit name=send value="LOGIN NOW!"></td></tr></table></form></center><?}else{?>SECURITY ALERT: Access Denied<?}?>

###################to check whether user entered wrong password more than 3 times #####################

if($_SESSION['count'] > 3){
$date_time = date("Y-m-d h:i:s");

$sql = "INSERT INTO `admin_session` (`count` , `IP` , `date` ) VALUES ('$_SESSION[count]', '$_SERVER[REMOTE_ADDR]', '$date_time')";

	$result = mysql_query($sql) or die("Insert Error:".mysql_error());

unset($_SESSION['count']);
//session_destroy();

}
###########################################################################################

abda53

just skimmed over it.. but heres an idea on how to do that.

youll need to create a new row in your database, 1 for password attempts (ex. pass_tries with default 0) and one for datetime (ex. pass_date)

on every password attempt that is wrong, it will update pass_tries to be +1 (default 0). if the password is correct, it will set it to 0.

if they mess it up 3 times then pass_tries will become 3.

then do an if statement, where if pass_tries =3 and pass_date is 1,296,000 seconds (15 days) less than the current timestamp, then the user cant attempt to log in.

hope that helps.

The_Chancer

By the look of things - you are storing the date as a human readable time...

$date_time = date("Y-m-d h:i:s");

Try storing it simply as time(); A unix stamp will give you much better access in terms of working out exactly when things happened date("D d M Y h:i:s",time()) Will enable you to see the time. And an SQL query, can have WHERE ".time().">(date_time+86400) for example. (i.e. returning those over a day old)...