ip dection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

ip dection

Post by nite4000 »

hey everyone I have a addition i wanna make to my script.

however I am not sure how the way I did it caused problems

I want to add to my login code a way to detect the login_ip field in my db table to the ip in which they are logging in from if its different send them to a different page and they would receive a code to enter to validate there account ownership.


if anyone can help out it would be nice.

Thanks
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: ip dection

Post by John Cartwright »

Post what you've got so far.
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

Re: ip dection

Post by nite4000 »

Here is the code I tried to use

Code: Select all

	$ip2 = $_SERVER['REMOTE_ADDR'];
		if($ip2 != $memb['login_ip']){
		$error = TRUE;
		$error_msg .='INVALID IP';
		}

This code here is the login code i use


Code: Select all

if($error != TRUE) {

      $r = mysql_query("SELECT * FROM members WHERE username='$user' AND password='$pass' AND status='Active' LIMIT 1") or error_out("Unable to process login; please try again later.");
	if(@mysql_num_rows($r) > 0) {
        $row = mysql_fetch_array($r, MYSQL_ASSOC);
        $_SESSION['admin_id'] = $row['id'];
		 $_SESSION['admin_acctno'] = $row['acct_num'];
        $_SESSION['admin_user'] = $row['username'];
        $_SESSION['admin_pass'] = $row['password'];
	    $date_login = escape_data(date('Y-m-d H:i:s'), $dbc);
        $ip_login = escape_data($_SERVER['REMOTE_ADDR'], $dbc);
       
	   //if($row['login_ip'] = NULL) {
	   	     
	    @mysql_query("UPDATE members SET login_ip='$ip_login', last_logged='$date_login' WHERE id='{$row['id']}' LIMIT 1");
		$LOGIN = TRUE;
        unset($row);
      } else {
	
	    $error = TRUE;
        $error_msg .= 'Oops! You have either enter an incorrect username or password or your account has been suspened!';
      }
    }
	}
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: ip dection

Post by Jonah Bron »

You probably don't want to do that. Practically everyone has a dynamic IP, which means that it will be changing all the time. Do you really want them to have to type in a special password every time that happens?
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

Re: ip dection

Post by nite4000 »

well i need to do something to where it prevent unauthrozied access to accounts in case someone was to get there password stolen
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: ip dection

Post by Jonah Bron »

Is this some sort of high security thing or something? Even Google doesn't take any measures for that sort of thing...
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

Re: ip dection

Post by nite4000 »

no not really just trying to improver my script enough to make security little tighter

besides the option would be able to be disabled by the user thats why i wanna do it
User avatar
MindOverBody
Forum Commoner
Posts: 96
Joined: Fri Aug 06, 2010 9:01 pm
Location: Osijek, Croatia

Re: ip dection

Post by MindOverBody »

nite4000 wrote:well i need to do something to where it prevent unauthrozied access to accounts in case someone was to get there password stolen
Jonah told you truth, checking IP's wont help you much.

Well, you can force often password change, but that is unpopular way. Improving password hash algorithm, and/or forcing strong password on registration will be enough.

There is one way you can be shure that user is allways using same computer, using cookies. On first login, make "non-expirable" cookie and update first_login filed in database with "done". So when user come to login again check within database if first login was made, and if it is, check for cookie. If cookie exit allow login, otherwise do some secutrity question or something to make new cookie (if user deleted cookies or so).

But keep in mind that all of these ways are bit unpopular and can make users life miserable. ;)
My advice is to not be dr.House. Force strong passwords at registration.

Hope this will help
b0jAn
Post Reply