Hi all I am very new to PHP and currently working on a small login project using PHP MYSQL. Authentication part is fine as far as email & password requirement is concerned. However I would like to use recaptcha after 5 failed attempts, hence using the below code. My problem is irrespective of number of failed attempts I can't force user to verify recaptcha as they can sign-in after 10/20/30 failed attempts with correct email & password without verifying captcha. I am not using IPaddress check neither timestamp its just against an email address I am using to keep track of failed login attempts. May be I am not able to search effectively over internet but please help...!!!
<?php
session_start(); // Starting Session
#Database connection
include('../config/connection.php');
$error=''; // Variable To Store Error Message
if (isset($_POST['submit']))
{
if (empty($_POST['email']) OR empty($_POST['password'])) {
$error = '<p class="alert alert-danger">One or either field is missing</p>';
}
$q = "SELECT login_attempts from users where email = '$email'";
$r = mysqli_query($dbc, $q) OR die(mysqli_error());
$row = mysqli_fetch_assoc($r);
if($row['login_attempts']>=5){
$url = 'https://www.google.com/recaptcha/api/siteverify';
$privatekey = "====key====";
$response = file_get_contents($url."?secret=".$privatekey."$response=".$_POST['g-recaptcha-response']."&remoteip=".$_SERVER['REMOTE_ADDR']);
$data = json_decode($response);
if(!(isset($data->success)) OR $data->success==false) {
$error = "Captch verification required as you have failed login more than 5 times !!!";
}
} else {
// Define $username and $password
$email=mysqli_real_escape_string($dbc, $_POST['email']);
$password = md5(SHA1($_POST['password']));
// SQL query to fetch information of registerd users and finds user match.
$q = "SELECT * FROM users WHERE email = '$email' AND password ='$password' AND Activation IS NULL";
$r = mysqli_query($dbc, $q)or die(mysqli_error());
$num_row = mysqli_num_rows($r);
$row=mysqli_fetch_array($r);
if( $num_row ==1 )
{
$_SESSION['username'] = $email;
header('Location:Index.php');
} else {
$query = "UPDATE users SET login_attempts=login_attempts+1 WHERE email='$email'";
$result = mysqli_query($dbc,$query) or die(mysqli_error());
$error = '<p class="alert alert-danger">Username or Password don\'t match</p>';
}
mysqli_close($dbc); // Closing Connection
}
}
?>
<body>
<div class="container" id="recovery">
<div class="row">
<div class="col-md-6 col-md-offset-3">
<div class="panel panel-warning">
<div class="panel-heading"><h2 class="panel-title"> <strong>Login</strong> </h2></div>
<div class="panel-body">
<?php if(isset($error) AND $error !=''){echo $error; }?></p>
<form action="signin.php" method="post" role="form">
<div class="form-group">
<label for="email">Email address</label>
<input type="email" class="form-control" id="email" name="email" placeholder="Email" >
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" class="form-control" id="password" name="password" placeholder="Password" >
</div>
<div class="form-group">
<a href ="recovery.php" style="float:right">Can't access my account</a>
</div>
<div class="form-group">
<div class="g-recaptcha" data-sitekey="6LcvdBMTAAAAAIYXE3ep-iUx5AWDvH7qmRdh00it"></div>
</div>
<button type="submit" name= "submit" class="btn btn-success">Sign In</button><br/><br/>
<span>Not a member yet  <a href ="register.php">Sign Up</a></span>
</form>
</div>
</div>
</div>
</div>
</div>