Login counter?

T

Totti

Hi everybody,
I have a Login page where the user will try to login using a user
name
and a password, found in a DB in ACCESS, the code is still very
simple, what i want to know is that how can i make a counter that
will
count till 3 wrong attempts, and close the page? I have done
something
like this in VB but there it is easier, this one here is a little bit
harder for me. At any rate, would anyone please guide me through, or
if there is such a code somewhere that i can see how it should be
approached? i am starting withe the following code:

<html> <head>
<script language=javascript>
function check()
{if (document.form1.username.value == "")
{alert("Please enter your username.");
document.form1.username.focus();}
else if (document.form1.password.value == "")
{alert("Please enter tour password.");
document.form1.password.focus();}
else {document.form1.submit();}}
</script> </head> <body>
<form name="form1" type="POST" action="http://localhost/php/estate/
after_login.php">
<div> <h1>.....Login form for Agents....</h1>
Username: <input type="text" value="" name ="username"><br><br>
Password: <input type="password" value="" name ="password"><br><br>
Number of tries: <input type="text" value="1" name ="tries" size =
"1"><br><br>
<input type="button" value="Back" onclick="history.go(-1);">
<input type="button" value="Login" onclick="check()">
</div> </form> </body> </html>

=======================================================
The page After_Login has PHP and it will check for valid login
combinations:
=======================================================

<?php
print('<html> <head></head> <body>
<form name="form1" type="post" action="http://localhost/php/estate/
props.php">
<div><h1>.....Form to Manipulate Data....</h1>');
$username = $_REQUEST["username"];
$password = $_REQUEST["password"];
$tries = $_REQUEST["tries"];
echo "\$Your username is: $username and your password is: $password
and this is your $tries attempt to login<br>";
$conn = odbc_connect ('estate','','') or die ('Error. I can not find
Estate');
$query = "select * from agent";
odbc_prepare($conn, $query) or die ('Error preparing Query');
$data = odbc_exec($conn, $query) or die ('Error executing
Query'.odbc_errormsg());
$logged = 0;
while (odbc_fetch_row($data))
{$agent_id = odbc_result($data, 'agent_id_pk');
$agent_account = odbc_result($data, 'agent_account');
$agent_password = odbc_result($data, 'agent_password');
$agent_lname = odbc_result($data, 'agent_lname');
$agent_fname = odbc_result($data, 'agent_fname');
if (($username == $agent_account) && ($password == $agent_password))
{$logged=1;}
}
if ($logged == 1)
{print('<input type="button" value="Browse Properties"
onclick="document.form1.action=\'http://localhost/php/estate/
props.php
\'; document.form1.submit();">
<input type="button" value="Browse Agents"
onclick="document.form1.action=\'http://localhost/php/estate/
agents.php
\'; document.form1.submit();">');
}
if ($logged == 0)
{print("<br>No such username or incorrect password given. Please try
again.<br>");}
print('<br><input type="button" value="Back" onclick="history.go
(-1);">
</div></form></body></html>'); ?>

=============================================================
In the best case i want the After_Login when it encounters the wrong
combination to redirect the user to the Login page, envoking a
Javascript saying how many times are yet allowed for the login, when
3
attempts are exhausted, it would be nice to close the browser
automatically and reset the counter. Is it Possible? I appreciate any
Help provided
 
E

Erwin Moller

Totti schreef:
Hi everybody,
I have a Login page where the user will try to login using a user
name
and a password, found in a DB in ACCESS, the code is still very
simple, what i want to know is that how can i make a counter that
will
count till 3 wrong attempts, and close the page? I have done
something
like this in VB but there it is easier, this one here is a little bit
harder for me. At any rate, would anyone please guide me through, or
if there is such a code somewhere that i can see how it should be
approached? i am starting withe the following code:
Click to expand...

Hi Totti,

I think that I speak for must people in here if I say that the following
code is horrid. It is poorly written, full of mistakes, and a puzzle to
disect. It gives me a headache.

I'll just add a few random pointers here and there:

This is a JavaScript newsgroup, but I'll comment on the PHP too.
<html> <head>
Click to expand...

No DOCtype?
<script language=javascript>
Click to expand...

That is ancient history.
Do this:
function check()
{if (document.form1.username.value == "")
{alert("Please enter your username.");
document.form1.username.focus();}
else if (document.form1.password.value == "")
{alert("Please enter tour password.");
document.form1.password.focus();}
else {document.form1.submit();}}
</script> </head> <body>
<form name="form1" type="POST" action="http://localhost/php/estate/
after_login.php">
Click to expand...

type="POST" ?
Did you by any chance mean: METHOD="POST"?
<div> <h1>.....Login form for Agents....</h1>
Username: <input type="text" value="" name ="username"><br><br>
Password: <input type="password" value="" name ="password"><br><br>
Number of tries: <input type="text" value="1" name ="tries" size =
"1"><br><br>
Click to expand...

What is the point of that 'tries' textinput?

Even if the rest of the code worked, people can just put '1' in there
and try again after 3 fails?

<input type="button" value="Back" onclick="history.go(-1);">
<input type="button" value="Login" onclick="check()">
Click to expand...

Ok, Are you aware that people with JavaScript disabled cannot use this
site? That may be OK, but then it is a designdecision.

</div> </form> </body> </html>

=======================================================
The page After_Login has PHP and it will check for valid login
combinations:
=======================================================

<?php
print('<html> <head></head> <body>
<form name="form1" type="post" action="http://localhost/php/estate/
props.php">
<div><h1>.....Form to Manipulate Data....</h1>');
Click to expand...

That is AWEFUL. Do NOT print loads of HTML like that.
It is a maintainance nightmare. And a debug nightmare.
You can simple output ANY HTML in PHP by just putting it outside the PHP
tags, like this:

<html>
<head></head>
<body>
<form name="form1" type="post"
action="http://localhost/php/estate/props.php">
<div><h1>.....Form to Manipulate Data....</h1>

And THEN open to PHP:
<?php
$username = $_REQUEST["username"];
$password = $_REQUEST["password"];
$tries = $_REQUEST["tries"];
Click to expand...

OK, The use of $_REQUEST in PHP equals "I don't know where my data comes
from, so I look it up in GET, POST, SESSION, Environment variables, etc
etc".
Very bad habbit.

If you put in your form METHOD="POST" then use in your receiving script:
$_POST instead of $_REQUEST.

echo "\$Your username is: $username and your password is: $password
and this is your $tries attempt to login<br>";
$conn = odbc_connect ('estate','','') or die ('Error. I can not find
Estate');
$query = "select * from agent";
Click to expand...

Bad habbit: NAME the columns you need, do not use *.
odbc_prepare($conn, $query) or die ('Error preparing Query');
$data = odbc_exec($conn, $query) or die ('Error executing
Query'.odbc_errormsg());
$logged = 0;
while (odbc_fetch_row($data))
{$agent_id = odbc_result($data, 'agent_id_pk');
$agent_account = odbc_result($data, 'agent_account');
$agent_password = odbc_result($data, 'agent_password');
$agent_lname = odbc_result($data, 'agent_lname');
$agent_fname = odbc_result($data, 'agent_fname');
if (($username == $agent_account) && ($password == $agent_password))
{$logged=1;}
}
Click to expand...

So, if I understand you right, this is what the code does:
Get EVERYTHING from table agent, and see if one of the rows matches the
passed username password.
Right?
Why not ask directly like this:

$SQL = "SELECT agent_account, agent_password FROM agent WHERE
((agent_account=$username) AND (agent_password=$password));";

And see if that returns a row?
(Beware of SQL Injection)

if ($logged == 1)
{print('<input type="button" value="Browse Properties"
onclick="document.form1.action=\'http://localhost/php/estate/
props.php
\'; document.form1.submit();">
Click to expand...

This approach is strange.
If I submit a login form I expect to be taken to the right place.
I do NOT expect the same form back with some extra button.

SO better is:
1) Make a page with loginform that post somewhere.
2) From somewhere, if username and password are OK, redirect the browser
to the right page (the one for people that authenticated).

<input type="button" value="Browse Agents"
onclick="document.form1.action=\'http://localhost/php/estate/
agents.php
\'; document.form1.submit();">');
}
if ($logged == 0)
{print("<br>No such username or incorrect password given. Please try
again.<br>");}
print('<br><input type="button" value="Back" onclick="history.go
(-1);">
</div></form></body></html>'); ?>

=============================================================
In the best case i want the After_Login when it encounters the wrong
combination to redirect the user to the Login page, envoking a
Javascript saying how many times are yet allowed for the login, when
3
attempts are exhausted, it would be nice to close the browser
automatically and reset the counter. Is it Possible? I appreciate any
Help provided
Click to expand...

I don't even start with making this script do 3 postings, since any
hacker can easily break that 'security'.

If you want this for a project that need a little security to protect
pages: do NOT approach it like this.

And besides, What happens if I type into the URL of my browser the
location you showed in your code directly?
http://localhost/php/estate/agents.php
or
http://localhost/php/estate/props.php

You WON'T get any security worth mentioning using JavaScript.
You must enforce this on the server.


Erwin Moller


--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
 
T

Totti

Erwin,
I just can say 1000 thanks, for the time and the advices you gave,
eventhough i am a newby, the things you mentioned are of radical
importance in general.
Thanks a lot, I ll reconsider many things in this project.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can't execute php to delete multiple rows in database 3
Problem in getting dashboard page from login page in python pycharm using POST command 0
Login form no longer working 2
Registration Form 7
Survey details won't go through using php, ajax, Mysql 0
How to store data from a sign up form on a website into an sql databse 1
Please, help me. 1
<b>Parse error</b>: syntax error, unexpected variable &quot;$POST&quot;, expecting &quot;)&quot; in <b>the respective file</b> on line<b>2<b> 1

Members online

No members online now.
Total: 31 (members: 0, guests: 31)
Robots: 649

Forum statistics

Threads
473,769
Messages
2,569,581
Members
45,056
Latest member
GlycogenSupporthealth

Latest Threads

Top