Securing PHP Page Access

Hello, Today we learn how to limit the number of login attempt using PHP & MySQL.

Sometimes you need to add extra protection to the password-protected website. This article explains how to limit access to the login page can be restricted after three failed login attempts. There are a number of reasons to restrict access. One reason is security. This PHP Script uses visitors IP address to store log attempts in the MySQL database and block access to login for 10 minutes after the third failed attempt.

At first, you need to create a table in your MySQL database to store data about login attempts from a certain browser. SQL script for creating a table in MySQL Server will be the following. For other databases, it will slightly differ.

SQL Script for creating a table:

CREATE TABLE tbl_loginLimit(    
    ID int NOT NULL AUTO_INCREMENT,
    ipAddress varchar(255) NOT NULL,
    timeDiff varchar(100),
    PRIMARY KEY (ID)
);


Now after creating the Mysql database, we are going to know about the PHP Script. The script is pseudocode for limiting the login attempt.

Let us have a look at the PHP script.

PHP Script:

False Condition (When Condition is false)

<?php
include 'dbcontroller.php'; //database connection file included
$ip = $_SERVER['REMOTE_ADDR']; //getting the IP Address
$t=time(); //Storing time in variable
$diff = (time()-600); // Here 600 mean 10 minutes 10*60
mysqli_query($conn, "INSERT INTO tbl_loginLimit VALUES (null,'$ip','$t')"); //Insert Query
$result = mysqli_query($conn, "SELECT COUNT(*) FROM tbl_loginLimit WHERE ipAddress LIKE '$ip' 
          AND timeDiff > $diff"); //Fetching Data 
$count = mysqli_fetch_array($result);
if($count[0] > 3)
{
   echo "You are allowed 3 attempts in 10 minutes";
}
?>


True Condition (When Condition is true)

<?php 
$result = mysqli_query($conn, "SELECT COUNT(*) FROM tbl_loginLimit WHERE ipAddress LIKE '$ip' 
AND timeDiff > $diff"); //Fetching Data 
$count = mysqli_fetch_array($result); 
if($count[0] > 3) { 
  echo "You are allowed 3 attempts in 10 minutes"; 
} 
?>

You May Also Like:

In the above code, we have included a database connection after that we have used $_SERVER[‘REMOTE_ADDR’] HTTP request to get the IP address of the user. we have to use time() function to get the time and calculate the difference. Here we set the count limit to 3 you can increase or decrease it according to your needs.

Just place this script in your login.php file where you have checked the condition for the wrong user password.

i.e. get an idea from the below code where you have to place this script.

if(username != $username && password != $password){
    //Place False Condition script here
}  
else{   
   //Place True Condition script here
   echo  "Login Successfull ";
}


If the user enters the wrong password for 3 times on the 4th attempt it will show a message “You are allowed 3 attempts in 10 minutes”. After the 3rd unsuccessful attempt, if the user enters the correct credentials it will not be able to login and shows the same message but after 10 minutes the user can login with the correct credentials.

5 thoughts on “Limit number of login attempt using PHP & MySQL”
    1. Both are same because if user enters 3 times wrong password then 4th time if user enter the correct username & password it will prompt a message you are allowed 3times in 10minutes because after three failed attempts user is blocked for 10minutes

Leave a Reply

Your email address will not be published. Required fields are marked *