Blocked the user after 3 attempts in PHP?

Question

How to block the user after 3 login attempts and store it to database? I already add two columns in user table, one for number of login attempts and second, for datetime of last login. Please help me, how to do this. I'm not good in PHP.

Thanks

Here's my login.php

session_start();
$ipaddress = '';
if (getenv('HTTP_CLIENT_IP'))
    $ipaddress = getenv('HTTP_CLIENT_IP');
else if(getenv('HTTP_X_FORWARDED_FOR'))
    $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
else if(getenv('HTTP_X_FORWARDED'))
    $ipaddress = getenv('HTTP_X_FORWARDED');
else if(getenv('HTTP_FORWARDED_FOR'))
    $ipaddress = getenv('HTTP_FORWARDED_FOR');
else if(getenv('HTTP_FORWARDED'))
    $ipaddress = getenv('HTTP_FORWARDED');
else if(getenv('REMOTE_ADDR'))
    $ipaddress = getenv('REMOTE_ADDR');
else
    $ipaddress = 'UNKNOWN';

$loginDate = date("Y-m-d H:i:s");
$Error ="";
$successMessage ="";
if (isset($_POST['submit'])){
if ( !( $_POST['cnumber'] == "" && $_POST['password'] == "")){
    $cnumber=$_POST['cnumber'];
    $password= sha1($_POST['password']);
    $cnumber = filter_var($cnumber, FILTER_SANITIZE_NUMBER_INT);

if (filter_var($cnumber, FILTER_VALIDATE_INT)){
$con=mysqli_connect("localhost","root","","users");

$result = mysqli_query($con, "SELECT * FROM users WHERE contractNumber='$cnumber' AND password='$password'");
$data = mysqli_num_rows($result);

if($data==1){
    $_SESSION['login_user']=$cnumber;
    mysqli_query($con, "INSERT INTO `users`.`logs`(`contractNumber`, `lastLogin`, `ipAddress`) VALUES ('$cnumber', '$loginDate', '$ipaddress')");
    header('Location: profile.php');
} else {
    $Error ="Invalid Contract Number or Password.";
    mysqli_query($con, "UPDATE users SET loginAttempt = loginAttempt + 1 WHERE contractNumber = '$cnumber' ");
    print_r(mysqli_affected_rows($con));
} 
    mysqli_close($con);
} else {
    $Error ="Invalid Contract Number.";
 }
} else {
    $Error ="Contract Number or Password is Empty.";
}
}

Answer 1

A similar Q&A can be found in this thread: Increment a database field by 1

The login attempts should actually be stored separately from the user table. You can block login attempts by storing the number of attempts client side (putting the number of attempts in a cookie) or by storing the IP of the user trying to log in with the number of attempts server side (in your sql database); incrementing the number of attempts per each failed login. The cookie method has a drawback of being easily circumvented by an attacker. The IP address method is more difficult to circumvent but has a drawback of blocking people sharing the same IP. I would use a little bit of both methods; applying rules like 3 attempts for the cookie and 15 attempts for the IP address/attempts table.

IP address variable: $_SERVER["REMOTE_ADDR"];
Getting cookies: $_COOKIE["cookie_name"];
Setting cookies: setcookie("cookie_name", "value", time()+$seconds);

Basic implementation of the cookie method:

// before login attempt:
$attempt_count = intval(@$_COOKIE["login_count"]); 
if($attempt_count > 3){
   die("Too many attempts");
}

_

// on failed login attempt:
setcookie("login_count", $login_count+1, time()+600);
// cookie set to expire at (now+600 seconds); 10 minutes

http://php.net/manual/en/function.setcookie.php

Answer 2

First when the user tries with incorrect password you have to increment login attempt field by one. Then check the login attempt count equals to 3 or not. if it is 3 means then block the user by changing their status

    $result = mysqli_query($con, "SELECT * FROM Users WHERE contractNumber='$cnumber' AND password='$password'");
    $data = mysqli_num_rows($result);
    if($data==1)
    {
          $_SESSION['login_user']=$cnumber; // Initializing Session
          header('Location: profile.php');
    } 
    else
    {
          mysqli_query($con, "UPDATE tablename login_attempts = login_attempts+1 WHERE contarct_number = ". $cnumber");
          /*Select query login attempts and check the count*/


    }

Answer 3

Don't use cookies as the hacker can still disable cookies and continue brute force attacks. Use your database instead. For every failed attempt, log it into the table, together with a time stamp. Then on each request, do a query with the user ID and time stamp, then get the count. That should give you the number of times tried.