PHP Login Script

Kungfu_Jesus · Apr 13, 2007

Alright, I'm developing a custom login script. Its supposed to detect number of login attempts, lockout after three unsuccessful attempts, clear those attempts after two hours, and set a cookie after a successful login.
The page can be found here: http://allamericananimestudios.com/mothman

Now the actual login is working as far as I can tell, but updates to the database are failing for both successful and unsuccessful logins. Also portions of the database queries are being posted in the echo's after a failure. I have no idea why these aren't working.

Here is a copy of my code.

<?php
session_start();
//record ip address
$ip = GetHostByName($REMOTE_ADDR); 
//Open Connection to Database 
include_once("conf.php");
$link = mysql_connect($dbserver, $username, $password)
or die("Could not connect: " . mysql_error());
mysql_select_db("mothmap",$link)
or die("Can\'t use mothmap: " . mysql_error());
//Retrieve Row in Database Based on Username
$result = mysql_query("select * from User where User_Name='" . $user . "'", $link);
if (!$result)
{
//no match = error(“Wrong username or password”)
echo "Incorrect Username or Password.";
}
$row = mysql_fetch_array($result);
//if number of attempts is greater than three and its been less than two hours since last attempt
$lastattempt = (time()-$row['User_Time'])/3600;
if($row['User_Attempts'] >= 3){
	if($lastattempt > 2){
	$sql = "UPDATE USER SET";
	$sql = $sql . "User_Attempts = 0 where User_Name='" . $user . "'";
	mysql_query($sql,$link);}
	else{
	//then error(“Too many failed attempts to connect. Try again in a couple of hours.”)
	echo "Too many failed attempts to connect. Try again in a couple of hours.";
	//record time of attempt
	$sql = "UPDATE USER SET";
	$sql = $sql . "User_Time =" . time() . "where User_Name='" . $user . "'";
	//place time in database
	mysql_query($sql,$link);
	//place ip address in database
	$sql = "UPDATE USER SET";
	$sql = $sql . "User_IP =" . $ip . "where User_Name='" . $user . "'";
	mysql_query($sql,$link);
	}}
else{
	//if hash of password entered equals hash in database
	if(md5($pass) == md5($row['User_Password'])){
		//then login = 1 
		$login=1;
		//set cookie with username, login, and ip address
	    session_register('user', 'login', 'ip');
		$expire = time() + (60 * 60 * 24 * 2);
		setcookie("name", $user, $expire);
		setcookie("remember", $login, $expire);
		setcookie("ip", $ip, $expire);
		// redirect
	    header( 'Location: http://www.allamericananimestudios.com/mothman' );
		}
	else{
	      //error(“Wrong username or password”)
		  echo "Wrong user name or password.".
	      //increment attempts
		  $sql = "UPDATE USER SET";
		  $sql = $sql . "User_Attempts =" . $row['User_Attempts']+1 . "where User_Name='" . $user . "'";
	      mysql_query($sql,$link);
	      //record time and ip address in database
		  $sql = "UPDATE USER SET";
		  $sql = $sql . "User_Time =" . time() . ", User_IP =" . $ip . "where User_Name='" . $user . "'";
	      mysql_query($sql,$link);
		  }
		  }
mysql_close($link);
?>