Home >Backend Development >PHP Problem >How to limit the number of login failures in PHP

How to limit the number of login failures in PHP

藏色散人
藏色散人Original
2022-01-12 10:27:073710browse

php method to limit the number of failed logins: 1. Create a table to record user login information; 2. View records of incorrect passwords; 3. Under the same IP, the same user logs in within 30 minutes If the number of incorrect passwords reaches the set number, the user will not be allowed to log in.

How to limit the number of login failures in PHP


The operating environment of this article: Windows 7 system, PHP version 7.1, DELL G3 computer

PHP realizes the number of failed logins Limit

Limit the number of incorrect login passwords

The importance of security to every website is self-evident. Among them, login is a place in the website that is more vulnerable to attacks, so how can we enhance the security of the login function?

Let’s first look at how some well-known websites do it

  • Github

    The same account on the Github website uses the same IP address to enter the password continuously. After a certain number of mistakes, the account will be locked for 30 minutes.


  • The main reason why Github does this, I think, is mainly based on the following considerations:

    1. Prevent users’ account passwords from being hacked Brute force cracking

    Implementation ideas

    Since the login function of so many websites has this function, how to implement it specifically. Let’s talk about it in detail below.

    • Ideas

      1. Need a table (user_login_info) to record user login information, whether the login is successful or failed. Record. And it needs to be able to distinguish whether the login failed or succeeded.

      2. Every time you log in, first query the user_login_info table for the last 30 minutes (assuming here that after the number of incorrect passwords reaches 5 times, the user will be disabled for 30 minutes) There are no records of related password errors, and then count whether the total number of records reaches the set number of errors.

      1. If the same user under the same IP reaches the set number of incorrect passwords within 30 minutes, the user will not be allowed to log in.

    Specific code and table design

    • Table design

    user_login_info table

       CREATE TABLE `user_login_info` (
           `id` int(10) UNSIGNED PRIMARY KEY AUTO_INCREMENT  NOT NULL,
           `uid` int(10) UNSIGNED NOT NULL,
           `ipaddr` int(10) UNSIGNED NOT NULL COMMENT '用户登陆IP',
           `logintime` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP 
           COMMENT '用户登陆时间',
           `pass_wrong_time_status` tinyint(10) UNSIGNED NOT NULL COMMENT '登陆密码错误状态' 
           COMMENT '0 正确 2错误'
        ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

    user table (user table)

       CREATE TABLE `user` (
          `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT,
          `name` varchar(100) NOT NULL COMMENT '用户名',
          `email` varchar(100) NOT NULL,
          `pass` varchar(255) NOT NULL,
          `status` tinyint(3) UNSIGNED NOT NULL DEFAULT '1' COMMENT '1启用 2禁用',
           PRIMARY key(id)
        ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    • Core Code
    <?php
    
    class Login
    {
    
        protected $pdo;
    
        public function __construct()
        {
            //链接数据库
            $this->connectDB();
        }
    
        protected function connectDB()
        {
            $dsn = "mysql:host=localhost;dbname=demo;charset=utf8";
            $this->pdo = new PDO($dsn, 'root', 'root');
        }
    
        //显示登录页
        public function loginPage()
        {
              include_once('./html/login.html');
    
        }
    
        //接受用户数据做登录
        public function handlerLogin()
        {
    
            $email = $_POST['email'];
            $pass = $_POST['pass'];
    
            //根据用户提交数据查询用户信息
            $sql = "select id,name,pass,reg_time from user where email = ?";
            $stmt = $this->pdo->prepare($sql);
            $stmt->execute([$email]);
    
            $userData = $stmt->fetch(\PDO::FETCH_ASSOC);
    
            //没有对应邮箱
            if ( empty($userData) ) {
    
                echo '登录失败1';
    
                echo '<meta http-equiv="refresh" content="2;url=./login.php">';
                exit;
            }
    
            //检查用户最近30分钟密码错误次数
            $res = $this->checkPassWrongTime($userData['id']);
    
            //错误次数超过限制次数
            if ( $res === false ) {
                echo '你刚刚输错很多次密码,为了保证账户安全,系统已经将您账号锁定30min';
    
                echo '<meta http-equiv="refresh" content="2;url=./login.php">';
                exit;
            }
    
    
            //判断密码是否正确
            $isRightPass = password_verify($pass, $userData['pass']);
    
            //登录成功
            if ( $isRightPass ) {
    
                echo '登录成功';
                exit;
            } else {
    
                //记录密码错误次数
                $this->recordPassWrongTime($userData['id']);
    
                echo '登录失败2';
                echo '<meta http-equiv="refresh" content="2;url=./login.php">';
                exit;
            }
    
        }
    
        //记录密码输出信息
        protected function recordPassWrongTime($uid)
        {
    
            //ip2long()函数可以将IP地址转换成数字
            $ip = ip2long( $_SERVER['REMOTE_ADDR'] );
    
            $time = date('Y-m-d H:i:s');
            $sql = "insert into user_login_info(uid,ipaddr,logintime,pass_wrong_time_status) values($uid,$ip,'{$time}',2)";
    
    
            $stmt = $this->pdo->prepare($sql);
    
            $stmt->execute();
        }
    
        /**
         * 检查用户最近$min分钟密码错误次数
         * $uid 用户ID
         * $min  锁定时间
         * $wTIme 错误次数
         * @return 错误次数超过返回false,其他返回错误次数,提示用户
         */
        protected function checkPassWrongTime($uid, $min=30, $wTime=3)
        {
    
            if ( empty($uid) ) {
    
                throw new \Exception("第一个参数不能为空");
    
            }
    
            $time = time();
            $prevTime = time() - $min*60;
    
            //用户所在登录ip
            $ip = ip2long( $_SERVER['REMOTE_ADDR'] );
    
    
            //pass_wrong_time_status代表用户输出了密码
            $sql = "select * from user_login_info where uid={$uid} and pass_wrong_time_status=2 and UNIX_TIMESTAMP(logintime) between $prevTime and $time and ipaddr=$ip";
    
            $stmt = $this->pdo->prepare($sql);
    
            $stmt->execute();
    
            $data = $stmt->fetchAll(\PDO::FETCH_ASSOC);
    
    
            //统计错误次数
            $wrongTime = count($data);
    
            //判断错误次数是否超过限制次数
            if ( $wrongTime > $wTime ) {
                return false;
            }
    
            return $wrongTime;
    
        }
    
        public function __call($methodName, $params)
        {
    
            echo '访问的页面不存在','<a href="./login.php">返回登录页</a>';
        }
    }
    
    $a = @$_GET['a']?$_GET['a']:'loginPage';
    
    
    $login = new Login();
    
    $login->$a();
    Recommended study: "PHP Video Tutorial"

The above is the detailed content of How to limit the number of login failures in PHP. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn