我需要帮助来限制用户的登录尝试。这是我的代码。
$login = login($username, $password);
if($login === false) {
if(isset($_COOKIE['login'])){
if($_COOKIE['login'] < 3){
$attempts = $_COOKIE['login'] + 1;
setcookie('login', $attempts, time()+60*10); //set the cookie for 10 minutes with the number of attempts stored
$errors[] = 'That username/password combination is incorrect!';
} else{
echo 'You are banned for 10 minutes. Try again later';
}
} else {
setcookie('login', 1, time()+60*10); //set the cookie for 10 minutes with the initial value of 1
}
} else {
$_SESSION['user_id'] = $login;
header('Location: ../../home.php');
exit();
}
它看起来适合我,但它不会工作。即使在尝试3次登录后,用户仍然可以访问他/她的帐户。
答案 0 :(得分:3)
使用一个SQL数据库,即时通讯正在处理一段代码,给我一个小时的时间并为你做一个例子
PHP:
<?php
$host = "";//Host name
$username = "";//MYSQL username
$password = "";//MYSQL password
$db_name = "";//Database name
$tbl_name = "";//Name of login table
$bl_name2 = "";//Name of table to store IP if attempt is incorrect
//connect to server and select database
try{
$conn = new PDO('mysql:host='.$host.';dbname='.$db_name.'',$username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);}
catch(PDOException $e){
echo 'ERROR: ' . $e->getMessage();}
//get users ip next, as this is for a log in, this example will show for username and pass also
$userIP = $_SERVER['REMOTE_ADDR'];
$userPassword = $_POST['passwordfromform'];
$userUsername = $_POST['usernamefromform']
if(empty($userUsername) && empty($userPassword)){
die("You must enter a username and password");
}
//check for log in excess
$checkSql="
SELECT * FROM ".$tbl_name2."
WHERE PostersIP = '".$userIP."'
";
$stmt = $db->query($checkSql);
$row_count = $stmt->rowCount();
if($rowcount >= 7){//change this number to reflect the nuber of login chances
die("You have tried to log in too many times");
}
//check to log in
$insertSql = "
SELECT * FROM ".$tbl_name."
WHERE USERNAME = '".$userUsername."'
AND PASSWORD = '".$userPassword."'";
//execute check query
$result = $conn->query($insertSql);
if($result != false){
echo "Username and Password were correct!";//link to correct page
}
else{
$incorrectSql="
INSERT INTO ".$tbl_name2."
(PostersIP) VALUES
('".$userIP."')";
$result2 = $conn->query($incorrectSql);
if($result2 != false){
die("You entered an invalid username or password, your attempt has been stored.");
}
die("Error inserting data");
}
?>
我没有对这个进行现场测试,因此可能存在一些缺陷,但是我对你的评论非常好。你需要第二个表来存储用户提交的ips。这是一个非常混乱的方式来做到这一点。我非常确定有更好的方法可以做到,但是我的10分钟解决方案:)
答案 1 :(得分:1)
使用数据库,我建议使用IP地址。看看这个definitive way to get user ip address php
捕获用户名,密码和时间戳,将这些记录到表中是否失败或成功。设置您想要禁用它们的参数。
添加一个检查登录脚本以检查IP地址,并且只允许他们输入详细信息(如果该IP地址尚未用于3次失败尝试)。
显然,您可能需要一个新表来表示禁止的IP地址以及允许其重新输入详细信息的时间。
答案 2 :(得分:0)
我会创建另一个包含cols的表:Username,Timestamp,Attempts。 这将检查时间戳10分钟内的尝试用户名(在第一次尝试时设置)。
%timeit df.reindex(sorted(df.index, key=lambda x: x.lower()), copy=True)
1000 loops, best of 3: 794 µs per loop
%timeit df.iloc[df.index.str.lower().argsort()]
1000 loops, best of 3: 850 µs per loop