Security-PHP登录尝试功能

I'm working on login form and I have to limit attempts to 3 and then block any form submit for 10 minutes. The following code isn't working correctly and I need to know how to block submitting after unsuccessful attempts. Thanks.

function autoDefender($attempts,$username,$pass)
    {
    $logins=0;
    $logins++;
    $ats = $attempts-$logins;
        if (isset($_POST['password']) && isset($_POST['userName']))
        {
            if($_POST['password']!=$pass && $_POST['userName']!=$username)
                {   
                    if($logins == $attempts)
                        {
                         echo ("<div class='errmg'>Acess denied for 1 minute</div>");
                        }
                    echo ("<div class='errmg'>Error:
                    invalid username or pass; <span class='atmpts'>$ats</span> attempts left</div>");
                }
        }
    }

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douhuangjian9627 2011-07-29 19:06
关注
The problem here is that with each call of autoDefender the local variable $logins is reset to 0. So the state of how many attempts actually took place is not not maintained across multiple calls of autoDefender.

You need to store this information somewhere persistently. In your case even across multiple requests.

Note that this does also poses an attack surface for Denial of Service attacks as you can lock-out other users. So you should think twice who you attribute a failed attempt to. If you do it per user, you an attacker might lock-out many users when doing a bulk attack on all users. If you do it per remote client (e.g. IP address), you might lock-out other innocent users that just happen to use the same system (e.g. company or university network). If you do it per session, an attacker might just drop the issued session ID.

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

Security-PHP登录尝试功能 php
2011-07-29 18:02

回答 2 已采纳 The problem here is that with each call of autoDefender the local variable $logins is reset to 0.
尝试使用谷歌PHP API的刷新令牌 php
2015-08-23 12:58

回答 1 已采纳 The error in Notice: Undefined property: stdClass::$refresh_token in C:\xampp\htdocs\trial\log-in
Laravel 5.6登录尝试失败 - 登录提交时返回方法RequestGuard ::尝试不存在 laravel php
2018-12-10 11:00

回答 1 已采纳 So to answer this question, after racking my brain, I decided to clear the application, configurat
svg-sanitizer：一个PHP SVGXML Sanitizer
2021-02-06 00:08

这是我在PHP中构建体面的SVG消毒剂的尝试。这项工作是从借来的。安装要么要求通过作曲家将其压缩enshrined/svg-sanitize ，要么下载该回购协议并包含旧方法！用法使用它很容易。创建enshrined\svgSanitize\...
我在安全传输方面的尝试在多大程度上变得多余？ https php ssl
2019-04-14 19:02

回答 1 已采纳 HTTPS protects the transport between the client (browser) and the server. It specifically does not
用于计算登录尝试的会话变量 php
2012-10-11 08:09

回答 1 已采纳 I think you should use CHttpSession instead of $_SESSION $session=new CHttpSession; $session->
尝试使用PHP标头（“位置：”）功能重定向 mysql php
2011-10-28 03:08

回答 3 已采纳 This line is wrong: header("location: product.php?product_id='.$product_id.'"); should look lik
PHP-FPM 配置文件详解
2022-06-29 22:28

迷津幻渡的博客本文将按照配置文件顺序解释指令含义，包含了当前版本的全部指令，少量字段并没有搞懂，感觉不影响日常...非常有意思的功能（默认关闭状态），fp.................................................................
Codeigniter - 尝试获取非对象的属性 php
2013-06-16 03:42

回答 1 已采纳 You may want to add a value check to the $this->db->get_where('posts', array('id' => $id)
AJAX - 尝试使用去抖动实现实时搜索 ajax javascript jquery php
2016-12-19 10:13

回答 1 已采纳 Your code doesn't include the Underscore library, so _.debounce() won't be available to use. That
SQL注入尝试 - 我的代码容易受到攻击吗？ php sql
2014-03-31 18:25

回答 2 已采纳 No, this code is not vulnerable to SQL injections. Both the intval conversion and prepared statem
TwoFactorAuth：两因素验证（TFA 2FA）PHP库
2021-02-05 16:20

，，或取决于您使用的内置RNG（TwoFactorAuth会尝试“自动检测”并使用最好的可用RNG）；但是：请随时提供您自己的（CS）RNG。（可选）您可能需要：如果使用EndroidQrCodeProvider 。如果使用Baco
AWS Apache PHP在外部工作但在尝试使用IP调用时失败 apache php
2014-04-29 23:25

回答 1 已采纳 Turns out the php_curl lib was not part of PHP5 installation. I installed it and everything works
Linux学习-84-安装PHP
2022-12-12 18:05

褚师子书的博客 Linux学习-84-安装PHP
rickroll-security-spring-boot-starter:这个Spring Boot Starter会将已配置的路径重新路由到Rick Astley的视频-从不放弃
2021-05-06 00:57

Rickroll Security Spring Boot Starter 该入门程序会将已配置的路径和/或文件扩展名重新路由到Rick Astley-永不放弃的视频。示例用例新手黑客经常尝试访问安全页面。 Spring Actuator端点是黑客可能造成严重破坏...
没有解决我的问题, 去提问

悬赏问题

¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
¥20 软件测试决策法疑问求解答
¥15 win11 23H2删除推荐的项目，支持注册表等
¥15 matlab 用yalmip搭建模型，cplex求解，线性化处理的方法
¥15 qt6.6.3 基于百度云的语音识别不会改
¥15 关于#目标检测#的问题：大概就是类似后台自动检测某下架商品的库存，在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
¥15 神经网络怎么把隐含层变量融合到损失函数中？
¥15 lingo18勾选global solver求解使用的算法
¥15 全部备份安卓app数据包括密码，可以复制到另一手机上运行
¥20 测距传感器数据手册i2c

Security-PHP登录尝试功能

2条回答 默认 最新

悬赏问题

2条回答默认最新