-1

What's wrong in my code? It seems like it's not counting even if I try many attempts because I want to redirect the user to account registration page after 3 error attempts. But if I change the $atmp = 0; to $atmp = 3;, it redirects me to the registration page. My problem is that it is not counting the attempts.

<?php
    $atmp = 0;
if (isset($_POST['login'])){
    $user = $_POST['username'];
    $pword = $_POST['password'];
    include ("connection.php");
    $atmp = $_POST['hidden'];
    if($atmp<3){
    $query  = "SELECT fld_username, fld_password FROM tbl_account WHERE fld_username = '$user' AND fld_password = '$pword'";
    $result = mysqli_query ($conn, $query);
    if($query){
        if (mysqli_num_rows($result)){
            while (mysqli_fetch_array($result)) {
                echo "<script> alert('You are logged in Successfully!'); window.location = 'profile.php'; </script>";
            }
        }
        else{
            $atmp++;
            echo '<script> alert("You have invalid username/password and the number of attempt is '. $atmp .'");window.location = "index.php";</script>';
        }
    }    
}
if ($atmp==3) {
    echo '<script> alert("You have invalid username/password!");window.location = "accountregistration.php";</script>';
  }
 }
?>

This is the code for HTML

<!DOCTYPE html>
<html>
<head>
<title>LOGIN</title>
</head>
<body>
<form action="" method="POST">
    <?php
echo "<input type = 'hidden' name = 'hidden' value =  '".$atmp."'>";
    ?>
    <fieldset>
        <legend>Login</legend>
        <label>Username:</label><input type="Text" name="username" id="username"><br><br>
        <label>Password:</label><input type="password" name="password" id="password"><br><br>
        &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp<input name="login" type="submit" value="Login"> &nbsp <input name="clear" type="reset" value="Clear">
    </fieldset>
</form>
</body>
</html>
  • 1) Think of a better name than "hidden". Try "atm". 2) Inspect your HTML in a brower. Is the `` tag being formatted correctly at the client? 3) Finally, check your server-side (PHP) logic. Is atm correct each time ... or are you inadvertently setting it to "0" each time PHP sends a new request? – paulsm4 Nov 05 '21 at 04:26
  • I've tried changing the name to 'atm' but it is still not increasing the number of attempts whenever I click the login button. It just stays at "You have invalid username/password and the number of attempt is 1". It should increase up to 3 attempts and when it hit the 3rd attempt, it will now redirect me to the account registration –  Nov 05 '21 at 05:01
  • Aren't the PHP and HTML in the same file? The have to be for the `$atmp` variable to carry across. – Tim Roberts Nov 05 '21 at 05:16
  • Yes, the PHP and HTML is in the same file –  Nov 05 '21 at 05:28
  • Don't use a hidden field to store the attempts - the user can manipulate it to reset them to 0. It's not secure. Store this value server-side in the session or in your database – ADyson Nov 05 '21 at 09:04
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Nov 05 '21 at 10:11
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Nov 05 '21 at 10:11

1 Answers1

3

at your php

window.location = "index.php"

it makes your page to redirect to new page, where there is no $_POST variable (no form submitted) so the $atmp reset to 0

remove that part and I think your code will work

anon
  • 361
  • 4
  • 8