Posted by Tyno Gendo on 04/09/07 14:48

Tyno Gendo wrote:
> antony wrote:
>>> i would simply have a count field in the database again st the
>>> username's and on each unsuccessful attempt increase the counter.
>>>
>>> when they log in successfully, reset the counter. a flag could be
>>> in there as to whether the account is active, if the count reaches a
>>> set amount, flip the flag eg. user_active 'Y' or 'N'
>>>
>>> any user_active 'N' accounts cannot log in.
>>>
>>> add a datetime field also so you can do your checks for timeout
>>> expire of the blocks etc.
>>>
>>> of course, this is all good for username's that exist.
>>
>>
>> so you control only the attempt of the password insertion?
>
> Say you had a table 'user' as such:
>
> user_id INT AUTO_INCREMENT PRIMARY KEY
> user_name varchar(80) NOT NULL
> user_pass varchar(16) NOT NULL
> user_tries INT
>
> When user tries to log in (this is all of top of my head straight into
> newsreader, so not checked):
>
> define('MAX_RETRIES', 5);
> $logged_in = false;
> $sql = "SELECT user_id, user_name, user_pass, user_tries
> FROM user WHERE user_name = '" . $_POST["username"]; . "';";
>
> $ds = mysql_query($sql);
> if (mysql_num_rows($ds)>0) { // username found match
>
> // a correct username at least, read details and check pass,
> // die if we can't read row (trigger_error better)
>
> $dr = mysql_query($ds) or die(mysql_error());

$dr = mysql_query($ds) or die(mysql_error());

should be $dr = mysql_fetch_assoc($ds);

might be more error ... LOL ... leave it to you to decipher.

[Back to original message]