Home/ Questions/Q 6056909
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T08:25:47+00:00

So when the user unsuccessfully logs in for the first time it performs the

  • 0

So when the user unsuccessfully logs in for the first time it performs the tasks 70-73
and then it jumps down to 111. That part works correctly however when the chances left gets to 0 meaning the failedLogins value in the db would be 5 its supposed to do the steps starting at line 76 but it doesn’t. Instead it shows 0 for the chances left and then that’s it. I’m sure my logic is right but the the code is just placed in the wrong places. (http://pastebin.com/p3n1Fr78)

// User is registered and verified
$query = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
$result = mysqli_query($dbc,$query);
$row = mysqli_fetch_array($result);

$lockDate = $row['lockDate'];

// Find out if user is locked out of their account
if (($lockDate !== "0000-00-00 00:00:00") AND (strtotime($lockDate) <= time())) {

    $currentDateTime = time();
    $minutes = floor(($currentDateTime-$lockDate) / 60);

    // Take minutes and perform tasks
    if ($lockDate > 0 && $minutes < 10) {

        // Calculate time remaining
        $timeRemaining = 10 - $minutes;

        // Account locked error
        $output = array('errorsExist' => true, 'message' => 'Your account is currently locked, we appologize for the inconvienence. You must wait ' .$timeRemaining.' minutes before you can log in again!');

    } else {

        // Clear the lock
        $query = "UPDATE manager_users_logins_hacking SET lockDate = NULL, hackerIPAddress = NULL, failedLogins = 0 WHERE userID = '".$userID."'";
        $result = mysqli_query($dbc,$query);

    } 

} else {

    // Escape post data
    $password = mysqli_real_escape_string($dbc,$_POST['password']);

    // Assign hashed password to variable
    $regenFromPostPW = reGenPassHash($password, $passwordDB2);

    // Comparing the database password with the posted password
    if ($passwordDB == $regenFromPostPW) {

        $query2 = "UPDATE manager_users_logins SET numberOfLogins = numberOfLogins + 1, lastOnline = CURRENT_TIMESTAMP WHERE userID = '".$userID."'";
        $result2 = mysqli_query($dbc,$query2);

        // Assign user data into an array
        $loggedinUserDataArray = array('userID' => $userID, 'name' => $firstName . " " . $lastName);

        // Assign user data array to new session
        $_SESSION['user_data'] = $loggedinUserDataArray;

        // See if the remember me checkbox was checked
        if (isset($_POST['remember'])) {

            // Sets an expiration time for the cookie
            $myExpiration = time()+60*60*24*100;

            // Sets the cookie for the username
            setcookie("username", $username, $myExiration, "/");

        }

        // Succesful login complete
        $output = array('errorsExist' => false, 'message' => 'You have been logged in, please allow a moment while we load your account data!');

    } else {

        // Login unsuccessful

        $query = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
        $result = mysqli_query($dbc,$query);
        $row = mysqli_fetch_array($result);
        $failedLogins = $row['failedLogins'];

        // Take failed logins and compare it 
        if ($row['failedLogins'] >= 5) {

            // Retrieve IP Address of user trying to hack into account
            $hackerIPAddress = $_SERVER['REMOTE_ADDR'];

            // Update database after account getting hacked and run query
            $query = "UPDATE manager_users_logins_hacking SET lockDate = CURRENT_TIMESTAMP, hackerIPAddress = '".$hackerIPAddress."' WHERE userID = '".$userID."'";
            $result = mysqli_query($dbc,$query);

            $query2 = "SELECT * FROM manager_users WHERE userID = '".$userID."'";
            $result2 = mysqli_query($dbc,$query2);
            $row = mysqli_fetch_array($result2);
            $firstName = $row['firstName'];
            $lastName = $row['lastName'];

            // Email user new registration account
            function my_domain_name() {
                $my_domain = $_SERVER['HTTP_HOST'];
                $my_domain = str_replace('www.', '', $my_domain);
                return $my_domain;
            }
            $sender_email = "noreply@kansasoutlawwrestling.com";
            $reply_to = "noreply@kansasoutlawwrestling.com";
            $recipient_email = $email; 
            $email_subject = "KOW Manager Account Locked";

            $email_body = 'Hello '.$firstName.' '.$lastName.' You, or someone using your account at '.my_domain_name().', has attempted to hack into your account. If this is an error, ignore this email and you will be removed from our mailing list.<br /><br />Regards, '.my_domain_name().' Team';

            mailSomeone($email, $sender_email, $email_subject, $email_body);

            // Account locked error
            $output = array('errorsExist' => true, 'message' => 'Your account is currently locked, we appologize for the inconvienence. This is a security messure implimented by to many failed login\'s! You must wait 10 minutes before you can login again!');         

        } else {

            $query = "UPDATE manager_users_logins_hacking SET failedLogins = '".$failedLogins."'+ 1 WHERE userID = '".$userID."'";
            $result = mysqli_query($dbc,$query);

            $query2 = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
            $result2 = mysqli_query($dbc,$query2);
            $row2 = mysqli_fetch_array($result2);
            $failedLogins = $row2['failedLogins'];

            // Calculate how many chances the user has to login before account gets locked
            $chancesLeft = 5 - $failedLogins;

            // Invalid username and password error 
            $output = array('errorsExist' => true, 'message' => 'Invalid Username and Password combination! You have ' .$chancesLeft.' chances left to login succesfully or the account will be locked!'); 

        }

    }

}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok, some things:

    If you do not have a defective version of PHP, the number $failedLogins is not incrementing to 5 between lines 76 if($row['failedLogins']>=5) and line 111 ($query = "UPDATE manager_users_logins_hacking...). If it hits line 77, it cannot increment.

    That said, it also cannot decrement, so I suggest you might want to consider adding logic to set the count to 0.

    You also might be seeing $chancesLeft and expecting it to be $failedLogins (an all-too-common problem, unfortunately, I’ve done my share of head-desks because of that).

    Also:

    First: Are you sure you have error reporting set to maximum?
    Second, conditional functions are bad:

    function my_domain_name() {
    $my_domain = $_SERVER['HTTP_HOST'];
    $my_domain = str_replace('www.', '', $my_domain);
    return $my_domain;
}

    It is best to define your function outside of the if block. Even if you only use it once.
    Third, you really should only show the immediately relevant code in your questions and try to format so that it is easy to read.
    Forth, I see a lot of '".$variable".. You may want to make those "UPDATE...$variable..." or you should escape a single quote — UPDATE ... SET FOO = \''.$foo.'\' WHERE.... " means, “parse this string” and I know that I, for one, expect that it will contain some variable.

    • 0