hey everyone I have a addition i wanna make to my script.
however I am not sure how the way I did it caused problems
I want to add to my login code a way to detect the login_ip field in my db table to the ip in which they are logging in from if its different send them to a different page and they would receive a code to enter to validate there account ownership.
if anyone can help out it would be nice.
Thanks
ip dection
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: ip dection
Post what you've got so far.
Re: ip dection
Here is the code I tried to use
This code here is the login code i use
Code: Select all
$ip2 = $_SERVER['REMOTE_ADDR'];
if($ip2 != $memb['login_ip']){
$error = TRUE;
$error_msg .='INVALID IP';
}
This code here is the login code i use
Code: Select all
if($error != TRUE) {
$r = mysql_query("SELECT * FROM members WHERE username='$user' AND password='$pass' AND status='Active' LIMIT 1") or error_out("Unable to process login; please try again later.");
if(@mysql_num_rows($r) > 0) {
$row = mysql_fetch_array($r, MYSQL_ASSOC);
$_SESSION['admin_id'] = $row['id'];
$_SESSION['admin_acctno'] = $row['acct_num'];
$_SESSION['admin_user'] = $row['username'];
$_SESSION['admin_pass'] = $row['password'];
$date_login = escape_data(date('Y-m-d H:i:s'), $dbc);
$ip_login = escape_data($_SERVER['REMOTE_ADDR'], $dbc);
//if($row['login_ip'] = NULL) {
@mysql_query("UPDATE members SET login_ip='$ip_login', last_logged='$date_login' WHERE id='{$row['id']}' LIMIT 1");
$LOGIN = TRUE;
unset($row);
} else {
$error = TRUE;
$error_msg .= 'Oops! You have either enter an incorrect username or password or your account has been suspened!';
}
}
}
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: ip dection
You probably don't want to do that. Practically everyone has a dynamic IP, which means that it will be changing all the time. Do you really want them to have to type in a special password every time that happens?
Re: ip dection
well i need to do something to where it prevent unauthrozied access to accounts in case someone was to get there password stolen
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: ip dection
Is this some sort of high security thing or something? Even Google doesn't take any measures for that sort of thing...
Re: ip dection
no not really just trying to improver my script enough to make security little tighter
besides the option would be able to be disabled by the user thats why i wanna do it
besides the option would be able to be disabled by the user thats why i wanna do it
- MindOverBody
- Forum Commoner
- Posts: 96
- Joined: Fri Aug 06, 2010 9:01 pm
- Location: Osijek, Croatia
Re: ip dection
Jonah told you truth, checking IP's wont help you much.nite4000 wrote:well i need to do something to where it prevent unauthrozied access to accounts in case someone was to get there password stolen
Well, you can force often password change, but that is unpopular way. Improving password hash algorithm, and/or forcing strong password on registration will be enough.
There is one way you can be shure that user is allways using same computer, using cookies. On first login, make "non-expirable" cookie and update first_login filed in database with "done". So when user come to login again check within database if first login was made, and if it is, check for cookie. If cookie exit allow login, otherwise do some secutrity question or something to make new cookie (if user deleted cookies or so).
But keep in mind that all of these ways are bit unpopular and can make users life miserable.
My advice is to not be dr.House. Force strong passwords at registration.
Hope this will help
b0jAn