hi, thanks for that… i downloaded the PDO Bumpstart and made notes of bits… i noticed it was from 2014 and some of it is outdated? ie useing globals and SELECT * i seen ;D
i have amended your suggestions… here is my latest FINALY with login attempts !
could you just tell me if what im doing here is valid… and anymore suggestions?
[php]<?php
//CLEAN USERNAME AND PASSWORD
if (isset($_POST[‘jamin_username’]) && isset($_POST[‘jamin_password’])) {
//user
$user = $_POST[‘jamin_username’];
$user = $conn->real_escape_string($user);
$user = trim($user);
$user = strip_tags($user);
$user = htmlspecialchars($user);
$user = $purifier->purify($user);
//pass
$pass = $_POST[‘jamin_password’];
$pass = trim($pass);
$pass = strip_tags($pass);
$pass = htmlspecialchars($pass);
} else {
$user = null;
$pass = null;
}
//CHECK IF THE USER IS LOCKED OUT OR NOT
if ($login_attempts = $conn->prepare(“SELECT address FROM login_attempts WHERE address = ?”)) {
$login_attempts->bind_param(“s”, $remote_ip);
$login_attempts->execute();
$result = $login_attempts->get_result();
$row_count = $result->num_rows;
if ($row_count >= 3) {
$error = (“You have tried to log in too many times
You have been locked out until the administrator investigates this log!”);
$locked_out = true;
if ($page === Admin) {
header(‘location: ./index.php’, true);
exit();
}
}
if ($page === ‘Admin’) {
if ($row_count === 2) {
$warning = (“WARNING: Your about to be locked out!
You have 1 more attempt!
”);
}
if ($row_count === 1) {
$warning = (“WARNING: You have 2 more attempts!
”);
}
}
$login_attempts->close();
}
//ADMIN LOGIN SCRIPT
if ($locked_out === false) {
if ($action === ‘JaminLogin’) {
if (isset($_POST[‘jamin_login’])) {
if (empty($user) || empty($pass)) {
$error = (“You must fill all fields!”);
} else {
if ($jamin_login = $conn->prepare(“SELECT username, password FROM jamin_users WHERE username = ?”)) {
$jamin_login->bind_param(“s”, $user);
$jamin_login->execute();
$result = $jamin_login->get_result();
$row = $result->fetch_assoc();
if ($row) {
if (password_verify($pass, $row[‘password’])) {
$_SESSION[‘jamin_user’] = $row[‘username’];
$jamin_login->close();
header(‘location: ./?page=Admin’, true);
exit();
} else {
if ($login_attempts = $conn->prepare(“INSERT INTO login_attempts (address) VALUES (?)”)) {
$login_attempts->bind_param(“s”, $remote_ip);
$login_attempts->execute();
$login_attempts->close();
}
$error = (“Your password dose not match!”);
header(‘Refresh: 3;url=./?page=Admin’, true);
}
} else {
$error = (“Your username or password do not match!”);
}
}
}
}
}
}
//SET SESSION USERNAME VAR
if (isset($_SESSION[‘jamin_user’])) {
$jamin_user = $_SESSION[‘jamin_user’];
} else {
$jamin_user = null;//if its not set then set it to null.
}
//ADMIN LOG OUT
if ($action === ‘Logout’) {
if (isset($_SESSION[‘jamin_user’]))
{
unset($_SESSION[‘jamin_user’]);
}
header(‘location: ./?page=Admin’, true);
exit();
}
//scripts that can only be run if there is a jamin session and user is not locked out
if ($locked_out === false && $jamin_user) {
###############//start secure scripts//###############
//REGISTER JAMIN SCRIPT
if ($action === ‘JaminRegister’) {
if (isset($_POST[‘jamin_register’])) {
if (empty($user) || empty($pass)) {
$error = (“You must fill both fields!”);
} else {
if ($error === null) {
if ($user_check = $conn->prepare(“SELECT username FROM jamin_users WHERE username = ?”)) {
$user_check->bind_param(“s”, $user);
$user_check->execute();
$result = $user_check->get_result();
$row = $result->fetch_assoc();
}
if (!$row) {
if ($jamin_register = $conn->prepare(“INSERT INTO jamin_users (username, password) VALUES (?, ?)”)) {
$pass = password_hash($pass, PASSWORD_BCRYPT);
$jamin_register->bind_param(“ss”, $user, $pass);
$jamin_register->execute();
if ($jamin_register) {
$success = (“Jamin Registerd!”);
} else {
$error = (“There was a problem!”);
}
$jamin_register->close();
}
} else {
$error = (“This username already exists!”);
}
$user_check->close();
}
}
}
}
//SELECT AND OUTPUT JAMIN USERS TABLE
if ($action === ‘JaminUsers’ || $action === ‘JaminRegister’) {
if ($jamin_users = $conn->prepare(“SELECT id, username FROM jamin_users”)) {
$jamin_users->execute();
$result = $jamin_users->get_result();
$row_count = $result->num_rows;
if ($row_count >= 1) {
while ($row = $result->fetch_assoc()) {
$user_table .= (“
ID: " . $row[‘id’] . “ |
Username: " . $row[‘username’] . “ |
<input type=“checkbox” name=“DeleteJaminUser[]” value=”” . $row[‘id’] . “”> Delete |
”);
}
} else {
$user_table = (“
Nothing in the database! |
”);
}
$jamin_users->close();
}
}
//DELETE JAMIN USER SCRIPT
if ($action === ‘JaminUsers’ && $delete === ‘JaminUser’) {
if (!isset($_POST[DeleteJaminUser])) {
$error = (“You must check at least 1 user.”);
} else {
$protected_id = ‘101’;
$jamin_ids = $_POST[DeleteJaminUser];
foreach ($jamin_ids as $jamin_id) {
if ($jamin_id === $protected_id) {
$admin_del_error = (“You cannot delete the Administrator!
”);
} else {
$jamin_id = (int)$jamin_id;
if ($jamin_delete_users = $conn->prepare(“DELETE FROM jamin_users WHERE id = ?”)) {
$jamin_delete_users->bind_param(“s”, $jamin_id);
$jamin_delete_users->execute();
$jamin_delete_users->close();
}
}
}
if ($jamin_delete_users) {
header(‘location: ./?page=Admin&action=JaminUsers’, true);
exit();
} else {
$error = ($admin_del_error.“Error deleting IP record!”);
}
}
}
//SELECT AND OUTPUT JAMIN LOCKED OUT USERS TABLE
if ($action === ‘LOUsers’) {
if ($jamin_lousers = $conn->prepare(“SELECT id, address, timestamp FROM login_attempts”)) {
$jamin_lousers->execute();
$result = $jamin_lousers->get_result();
$row_count = $result->num_rows;
if ($row_count >= 1) {
while ($log_row = $result->fetch_assoc()) {
$louser_table .= ("
ID: " . $log_row[‘id’] . “ |
IP: " . $log_row[‘address’] . “ |
Attempted at: " . $log_row[‘timestamp’] . “ |
<input type=“checkbox” name=“DeleteLOUser[]” value=”” . $log_row[‘id’] . “”> Delete |
”);
}
} else {
$louser_table = (“
Nothing in the database! |
”);
}
$jamin_lousers->close();
}
}
//DELETE JAMIN LOCKED OUT USERS SCRIPT
if ($action === ‘LOUsers’ && $delete === ‘LOLog’) {
if (!isset($_POST[DeleteLOUser])) {
$error = (“You must tick at least 1 IP.”);
} else {
$jamin_ids = $_POST[DeleteLOUser];
foreach ($jamin_ids as $jamin_id) {
$jamin_id = (int)$jamin_id;
if ($jamin_delete_lousers = $conn->prepare(“DELETE FROM login_attempts WHERE id = ?”)) {
$jamin_delete_lousers->bind_param(“s”, $jamin_id);
$jamin_delete_lousers->execute();
}
}
if ($jamin_delete_lousers) {
header(‘location: ./?page=Admin&action=LOUsers’, true);
exit();
} else {
$error = ($admin_del_error.“Error deleting IP record!”);
}
$jamin_delete_lousers->close();
}
}
###############//end secure scripts//###############
}
function get_admin_cp($action, $locked_out, $jamin_user, $user_table, $louser_table) {
//IF USER IS VALID
if ($locked_out === false && $jamin_user) {
##############
//SECURE PAGES
##############
require_once INCLUDES_BASEDIR.ADMIN_BASEDIR.‘panel.html’;//admin panel
/////////////////////
//ADMIN DYNAMIC PAGES
////////START////////
##
//ADMIN USER LIST
if ($action === ‘JaminUsers’) {
require_once INCLUDES_BASEDIR.ADMIN_BASEDIR.‘users.html’;//jamin users
}
//JAMING LOCKED OUT USERS
if ($action === ‘LOUsers’) {
require_once INCLUDES_BASEDIR.ADMIN_BASEDIR.‘lousers.html’;//locked out users
}
//ADMIN REGISTER
if ($action === ‘JaminRegister’) {
require_once INCLUDES_BASEDIR.ADMIN_BASEDIR.‘register.html’;//register jamin
require_once INCLUDES_BASEDIR.ADMIN_BASEDIR.‘users.html’;//jamin user list
}
##
///////////
//END PAGES
///////////
} else {
require_once INCLUDES_BASEDIR.ADMIN_BASEDIR.‘login.html’;//display login if there is no session set.
}
}[/php]
thankyou again