<?php function login($check_username,$check_password) { //make vars safe

1. <?php
2.     function login($check_username,$check_password)
3.     {
4.         //make vars safe from SQL injection
5.         $check_username = mysql_real_escape_string($check_username);
6.         $check_password = md5($check_password);
7.         $check_password = mysql_real_escape_string($check_password);
8.        
9.         //grab user from database
10.         $result = mysql_query("SELECT * FROM `users` WHERE `username`='".$check_username."'") or die(mysql_error());  
11.         $row = mysql_fetch_array( $result );
12.         $user_id = $row['user_id'];
13.         $user_password = $row['password'];
14.         $user_login_attempts = $row['login_attempts'];
15.         $user_login_time = $row['login_time'];
16.         $time_diff = timeDifference($user_login_time);
17.        
18.         //check username exists
19.         if ($user_id != null) {
20.             //check user is allowed to login
21.             if (time() >= $user_login_time) {
22.                 //check user gave the correct password
23.                 if ($check_password === $user_password) {
24.                     //user has passed all the amazing protections/tests, let them login!
25.                     $_SESSION['logged_in'] = true;
26.                     $_SESSION['user_id'] = $user_id;
27.                    
28.                     //reset login attempts and login time
29.                     $user_login_attempts = 0;
30.                     $user_login_time = 0;
31.                 } else {
32.                     //incorrect password
33.                     //increase login attempts by 1
34.                     $user_login_attempts++;
35.                    
36.                     //determine if user needs to wait b4 logging in again
37.                     if ($user_login_attempts < 3) {
38.                         $user_login_time = 0;
39.                         echo "Sorry, you have entered an incorrect password. Please try again.";
40.                     } else {
41.                         //add five minutes wait per extra failed login attempt
42.                         $user_login_time = time() + (($user_login_attempts - 2) * 5 * 60);
43.                         $time_diff = timeDifference($user_login_time);
44.                         echo "Sorry, you have entered an incorrect password. Due to too many failed attempts, please try again in ".$time_diff.".";
45.                     }
46.                 }
47.                
48.                 //update login attempts/time
49.                 $result = mysql_query("UPDATE `users` SET `login_attempts`='".$user_login_attempts."' WHERE `user_id`='".$user_id."'") or die(mysql_error());
50.                 $result = mysql_query("UPDATE `users` SET `login_time`='".$user_login_time."' WHERE `user_id`='".$user_id."'") or die(mysql_error());
51.             } else {
52.                 //user must wait b4 reattempting to login
53.                 echo "Sorry, you may not login for ".$time_diff." due to too many failed attempts. Please try again in ".$time_diff.".";
54.             }
55.         } else {
56.             //user doesn't exist, try again
57.             echo "Sorry, but that username does not exist. Please try again.";
58.         }
59.     }
60.     //!function login($check_username,$check_password)
61. ?>