I have a login/registration script and I want to put this code in it that when users enter their wrong login info 3 or more times it will lock them out for however many minutes.

Heres is the website that has the code:
And help me with the Mysql part and php part codes

http://xlinesoft.com/articles/system_access_lock.htm

So after 3 or more failed login attempts it will lock them out from the login page.

So I'm assuming you will need to look at the php code of My login page:

-Login.php-

<?php # Script 16.8 - login.php
// This is the login page for the site.

require_once ('includes/config.inc.php'); 
$page_title = 'Login';
include ('includes/header.html');

if (isset($_POST['submitted'])) {
	require_once (MYSQL);

// Validate the email address:
if (!empty($_POST['email'])) {
	$e = mysqli_real_escape_string ($dbc, $_POST['email']);
} else {
	$e = FALSE;
	echo '<p class="error">You Forgot To Enter Your Email Address!</p>';
}

// Validate the password:
if (!empty($_POST['pass'])) {
	$p = mysqli_real_escape_string ($dbc, $_POST['pass']);
} else {
	$p = FALSE;
	echo '<p class="error">You Forgot To Enter Your Password!</p>';
}

if ($e && $p) { // If everything's OK.

	// Query the database:
	$q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass=SHA1('$p')) AND active IS NULL";		
	$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

	if (@mysqli_num_rows($r) == 1) { // A match was made.

		// Register the values & redirect:
		$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 
		mysqli_free_result($r);
		mysqli_close($dbc);

		$url = BASE_URL . 'index.php'; // Define the URL:
		ob_end_clean(); // Delete the buffer.
		header("Location: $url");
		exit(); // Quit the script.

	} else { // No match was made.
		echo '<p class="error">Either The Email Address And Password Entered Do Not Match Those On File or You Have Not Yet Activated Your Account.</p>';
	}

} else { // If everything wasn't OK.
	echo '<p class="error">Please Try Again.</p>';
}

mysqli_close($dbc);

} // End of SUBMIT conditional.
?>

<h1><img src="Login Icon.png" width="135" height="129"></h1>
<p><font color="green">Your Browser Must Allow Cookies In Order To Log In</font></p>
<form action="login.php" method="post">
	<fieldset>
	<p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="40" /></p>
	<p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p>
	<div align="left"><input type="submit" name="submit" value="Login" /></div>
	<input type="hidden" name="submitted" value="TRUE" />
	</fieldset>
</form>


<?php // Include the HTML footer.
include ('includes/footer.html');
?>

And I Appreciate Anybody who helps me with this, Thank you😃

    I do not see session_start()
    but I assume you start session in some include.

    I use two variables.
    $SESSION['login_count'] ... count to 3 attempts
    $
    SESSION['login_time'] ..... count for 1 hour = 3600 seconds

    I think you see where you should put in code.
    There is one part in beginning to check for the $SESSION['login_time'].
    And the other part is after failed login
    where $
    SESSION['login_count'] is used.

    I may have some little syntax error.
    But the code should work very well and as you want.

    Regards

    <?php # Script 16.8 - login.php
    // This is the login page for the site.
    
    require_once ('includes/config.inc.php');
    $page_title = 'Login';
    include ('includes/header.html');
    
    if(isset($_SESSION['login_time'])){
    	//set blocked time to 1 hour
    	$blocked = 3600;
    	if( time() - $_SESSION['login_time'] < $blocked){
    		//redirect somewhere
    		header('location:index.php');
    		exit();	
    	}else{
    		//we reset the time counter
    		unset($_SESSION['login_time']);
            }
    }
    
    if (isset($_POST['submitted'])) {
        require_once (MYSQL);
    
    //-----------------------------------//
    
    
    } else { // If everything wasn't OK.
    
        // if count isset then increase ++1 otherwise set it to 1
        $_SESSION['login_count'] = isset($_SESSION['login_count'])? ++$_SESSION['login_count'] : 1;
        // if is 3, we record the login_time
        if($_SESSION['login_count'] == 3){
        	$_SESSION['login_time'] = time();
        	//we unset count, as now time will be counted
        	unset($_SESSION['login_count']);
        	//message and link
        	echo 'Sorry! You have had 3 failed login attempts<br />';
        	echo '<a href="index.php">Go Home</a>';
        	exit();
        }
    
        echo '<p class="error">Please Try Again.</p>';
    }
    
    ?>

      I just realized that SESSION will not stop anyone from making 3 new login attempts.
      The user only has to close down browser and SESSION will be deleted.
      Not even using a COOKIE will work, because cookies can be deleted by the user.

      You will have to use one MySQL TABLE to record:
      IP
      TIME
      ... after those 3 attemps.

      Now, not even IP address is a secure way, as people can be using PROXY
      with IP address that can be changed.

      If you ask me, then I think it is too much trouble to try the MySQL way.
      As the result may not work anyway.

      If you use my code, at least the user will have to close down browser after each 3 attempts.
      So you are causing him/her some trouble.

      The important thing is to have your Login so secure,
      that nobody that is not authorized
      can not login.
      No matter how many attempts they will bother.

        halojoy wrote:

        You will have to use one MySQL TABLE to record:
        IP
        TIME
        ... after those 3 attemps.

        Now, not even IP address is a secure way, as people can be using PROXY
        with IP address that can be changed.

        IP address is not necessary: you just need to ignore any attempted new logins at that account for the specified time. This does allow a denial of service attack against a legitimate user who is about to login, but that is inherent in these kinds of lock out schemes. (On the other hand, locking them out for a minute is relatively harmless, yet slows down any brute force attempt to a crawl.)

          Write a Reply...