Throttle an Authentication Form
(Chapter 7, Authentication and Authorization - Pg 66-67)
< Back to Code Repository
<?php
/* mysql_connect() */
/* mysql_select_db() */
$clean = array();
$mysql = array();
$now = time();
$max = $now - 15;
$salt = 'SHIFLETT';
if (ctype_alnum($_POST['username']))
{
$clean['username'] = $_POST['username'];
}
else
{
/* ... */
}
$clean['password'] = md5($salt . md5($_POST['password'] . $salt));
$mysql['username'] = mysql_real_escape_string($clean['username']);
$sql = "SELECT last_failure, password
FROM users
WHERE username = '{$mysql['username']}'";
if ($result = mysql_query($sql))
{
if (mysql_num_rows($result))
{
$record = mysql_fetch_assoc($result);
if ($record['last_failure'] > $max)
{
/* Less than 15 seconds since last failure */
}
elseif ($record['password'] == $clean['password'])
{
/* Successful Login */
}
else
{
/* Failed Login */
$sql = "UPDATE users
SET last_failure = '$now'
WHERE username = '{$mysql['username']}'";
mysql_query($sql);
}
}
else
{
/* Invalid Username */
}
}
else
{
/* Error */
}
