Page 1 of 1
ip dection
Posted: Sat Sep 04, 2010 11:30 am
by nite4000
hey everyone I have a addition i wanna make to my script.
however I am not sure how the way I did it caused problems
I want to add to my login code a way to detect the login_ip field in my db table to the ip in which they are logging in from if its different send them to a different page and they would receive a code to enter to validate there account ownership.
if anyone can help out it would be nice.
Thanks
Re: ip dection
Posted: Sat Sep 04, 2010 2:49 pm
by John Cartwright
Post what you've got so far.
Re: ip dection
Posted: Sat Sep 04, 2010 3:59 pm
by nite4000
Here is the code I tried to use
Code: Select all
$ip2 = $_SERVER['REMOTE_ADDR'];
if($ip2 != $memb['login_ip']){
$error = TRUE;
$error_msg .='INVALID IP';
}
This code here is the login code i use
Code: Select all
if($error != TRUE) {
$r = mysql_query("SELECT * FROM members WHERE username='$user' AND password='$pass' AND status='Active' LIMIT 1") or error_out("Unable to process login; please try again later.");
if(@mysql_num_rows($r) > 0) {
$row = mysql_fetch_array($r, MYSQL_ASSOC);
$_SESSION['admin_id'] = $row['id'];
$_SESSION['admin_acctno'] = $row['acct_num'];
$_SESSION['admin_user'] = $row['username'];
$_SESSION['admin_pass'] = $row['password'];
$date_login = escape_data(date('Y-m-d H:i:s'), $dbc);
$ip_login = escape_data($_SERVER['REMOTE_ADDR'], $dbc);
//if($row['login_ip'] = NULL) {
@mysql_query("UPDATE members SET login_ip='$ip_login', last_logged='$date_login' WHERE id='{$row['id']}' LIMIT 1");
$LOGIN = TRUE;
unset($row);
} else {
$error = TRUE;
$error_msg .= 'Oops! You have either enter an incorrect username or password or your account has been suspened!';
}
}
}
Re: ip dection
Posted: Sat Sep 04, 2010 8:03 pm
by Jonah Bron
You probably don't want to do that. Practically everyone has a dynamic IP, which means that it will be changing all the time. Do you really want them to have to type in a special password every time that happens?
Re: ip dection
Posted: Sat Sep 04, 2010 8:31 pm
by nite4000
well i need to do something to where it prevent unauthrozied access to accounts in case someone was to get there password stolen
Re: ip dection
Posted: Sat Sep 04, 2010 8:55 pm
by Jonah Bron
Is this some sort of high security thing or something? Even Google doesn't take any measures for that sort of thing...
Re: ip dection
Posted: Sat Sep 04, 2010 8:59 pm
by nite4000
no not really just trying to improver my script enough to make security little tighter
besides the option would be able to be disabled by the user thats why i wanna do it
Re: ip dection
Posted: Sat Sep 04, 2010 9:33 pm
by MindOverBody
nite4000 wrote:well i need to do something to where it prevent unauthrozied access to accounts in case someone was to get there password stolen
Jonah told you truth, checking IP's wont help you much.
Well, you can force often password change, but that is unpopular way. Improving password hash algorithm, and/or forcing strong password on registration will be enough.
There is one way you can be shure that user is allways using same computer, using cookies. On first login, make "non-expirable" cookie and update first_login filed in database with "done". So when user come to login again check within database if first login was made, and if it is, check for cookie. If cookie exit allow login, otherwise do some secutrity question or something to make new cookie (if user deleted cookies or so).
But keep in mind that all of these ways are bit unpopular and can make users life miserable.

My advice is to not be dr.House. Force strong passwords at registration.
Hope this will help
b0jAn