id_fail_attempt ip attempts datetime id id_user attempts i

1. id_fail_attempt ip attempts datetime
2.  
3. id id_user attempts ip datetime
4.  
5. <?php
6. session_start();
7. if (isset($_POST)) {
8. $message= $username = $password = $usernameBD = $passwordDB = NULL;
9. $captcha = true;
10. //logged in user indicator
11. $logueado = false;
12. //Number of attempts allowed for IP
13. $attemptsIP = 8;
14. //Number of attempts allowed for User
15. $attemptsU = 5;
16.  
17. if(isset($_POST) && isset($_POST["vcode"]) && $_POST["vcode"]!=$_SESSION["vcode"]) {
18. $captcha = false;
19. $message = "Written characters do not match the verification word. Try again.";
20. }else{
21. unset($_SESSION['id_user']);
22. }
23.  
24. $addres = $_SERVER['REMOTE_ADDR'];
25.  
26. //Conexión -> SQL
27. require_once'app/php/config.ini.php';
28. //We block the ip for one day
29. $stmtA = $con->prepare("SELECT attempts FROM failed_attempt WHERE ip=? AND datetime BETWEEN DATE_SUB( NOW() , INTERVAL 1 DAY ) AND NOW()");
30.  
31. $stmtA->bind_param("s",$addres);
32. $stmtA->execute();
33. $stmtA->store_result();
34.  
35. //Variable to know if there is record or not for insert or update.
36. $check_result = $stmtA->num_rows;
37. if ($stmtA->num_rows===1) {
38. //if ($stmtA->num_rows>0) {
39. //We obtain data to compare attempts and to reset attempts by its last date.
40. $stmtA->bind_result($failed_login_attempt);
41. $stmtA->fetch();
42. $stmtA->close();
43. } else {
44. $stmtA->close();
45. $failed_login_attempt=0;
46. }
47.  
48. if(count($_POST)>0 && $captcha == true) {
49. $username = $_POST["username"] ?: '';
50. $password = $_POST["password"] ?: '';
51.  
52. //Search for user - HOME
53. $stmtB = $con->prepare("SELECT id_user,username,password,logindatetime, CASE WHEN logindatetime BETWEEN DATE_SUB( NOW() , INTERVAL 2 MINUTE ) AND NOW() THEN '1' ELSE '0' END as logueado FROM users where username=? AND active=? LIMIT 1");
54. $stmtB->bind_param("si",$username,$active);
55. $active=1;
56. $stmtB->execute();
57. $stmtB->store_result();
58. if ($stmtB->num_rows===1) {
59. $stmtB->bind_result($id_userBD,$usernameBD,$passwordDB,$logindatetime,$activeBD);
60. if ($stmtB->fetch()){
61. if (password_verify($password, $passwordDB)) {
62. $check_password = true;
63. } else {
64. $check_password = false;
65. }
66. } $stmtB->close();
67. } else {
68. $stmtB->close();
69. $check_password = false;
70. }
71.  
72. //Search for user - END
73.  
74. //logs login attempts according to IP - HOME
75.  
76. if($check_result===0){
77.  
78. //If it is your first failed attempt, we include the first record in the BD
79. $stmtC = $con->prepare("INSERT INTO failed_attempt (ip,attempts,datetime) VALUES (?, ?, NOW())");
80. $stmtC->bind_param("si",$addres,$attempts);
81.  
82. $attempts = 1;
83. //$datetime = date('Y-m-d H:i:s', time());
84. $stmtC->execute();
85. $stmtC->close();
86.  
87. } else {
88. // update the number of attempts faild
89.  
90. if($failed_login_attempt<$attemptsIP){
91. $accountant = $failed_login_attempt + 1;
92.  
93. $stmtD = $con->prepare("UPDATE failed_attempt SET attempts=?, datetime=NOW() WHERE ip = ?");
94. $stmtD->bind_param("is",$accountant,$addres);
95.  
96. //$datetime = date('Y-m-d H:i:s', time());
97. $stmtD->execute();
98. $stmtD->close();
99. }
100. }
101.  
102. //registre attemptes of login by IP - END
103.  
104. //VALIDATE DOUBLE LOGUEO
105.  
106. if ($username==$usernameBD && $check_password == true && $logindatetime!=NULL && $activeBD==1) {
107. $logueado = true;
108. } else {
109. //registre attemptes by user - HOME
110. $attempU = 0;
111.  
112. if($usernameBD!= null && $usernameBD!=''){
113.  
114. $id_user = $id_userBD;
115.  
116.  
117. $stmtE = $con->prepare("SELECT attempts FROM failed_login WHERE id_user =? AND datetime BETWEEN DATE_SUB( NOW() , INTERVAL 15 MINUTE ) AND NOW() ");
118. $stmtE->bind_param("i",$id_user);
119. $stmtE->execute();
120. $stmtE->store_result();
121. $queryResult = $stmtE->num_rows;
122.  
123. if ($queryResult===0) {
124. $stmtF = $con->prepare("INSERT INTO failed_login (id_user, attempts, ip, datetime) VALUES (?, ?, ?, NOW())");
125. $stmtF->bind_param("iis",$id_user,$attempts,$addres);
126. $attempts=1;
127. $stmtF->execute();
128. $stmtF->close();
129. } else {
130. $stmtE->bind_result($attempU_BD);
131. $stmtE->fetch();
132.  
133. $attempU = $attempU_BD+1;
134.  
135. if ($attempU_BD<$attemptsU) {
136. $stmtG = $con->prepare("UPDATE failed_login SET attempts=?, ip = ?, datetime=NOW() where id_user =?");
137. $stmtG->bind_param("isi",$attempU,$addres,$id_user);
138. $stmtG->execute();
139. $stmtG->close();
140. }
141.  
142. } $stmtE->close();
143. }
144. //registre attempts faild by user - END
145. }
146.  
147. //validate user and password - HOME
148.  
149. if (empty($username) || empty($password)) {
150. $message = "You need to enter a username and password";
151. } elseif($failed_login_attempt>=$attemptsIP){
152. $message = "'IP' blocked for 1 day";
153. } elseif($logueado){
154. $message = "'User' is already logged in.";
155. } elseif($attempU>=$attemptsU){
156. $message = "'User' blocked for 15 minutes";
157. } elseif ($username != $usernameBD ) {
158. $message = "The 'User' you entered does not match.";
159. } elseif ($check_password == false) {
160. $message = "Your entered 'Password' does not match.";
161. } else {
162. $_SESSION["id_user"] = $id_userBD;
163. //$con->query("DELETE FROM failed_attempt WHERE ip = '$addres'");
164. //$con->query("DELETE FROM failed_login WHERE id_user ='$id_user'");
165. }
166. //validate user and password - END
167.  
168. if(isset($_SESSION["id_user"])) {
169. //echo '<script>window.location="index.php"</script>';
170. header('location:index.php');exit;
171. }
172. }
173. }
174. ?>