alexandre

yes thank you very much , the blocking of the ip address is being done without problems anymore, the only question remaining about this in my head would be, if not using the feature of the database especially designed to handle the ip adresses, would it be a wrong choice or if storing the ip address as a varchar 45 is fine , i did it this way because thats the first method to do that i saw on the internet but i am still unsure if there is a downside to not be using this database feature.

it worked the number one disapeared as i changed the tag for the include .. when i am thinking that i just wasted 4 days being mad at my code 😂

i honestly dont know about that. i thought it was simply the way to include php into html but i should have noticed the difference between the normal php tags and the ones i am using . i will go look this up . thank you for specifying it.

i just realized that not long ago i switched my code , instead of only using php to do everything, i declared the variables in php to then output them in the html but as it was before only with php , it wasnt showing those number one

thats strange ... i can see the number one everywhere now that i am aware of it 😂.. would you have a solution to this issue ? dos it count if it is included in the php part of the code because i just found that on the subscription page the countdown is included in the php and it doesnt show the boolean result.

even on google it doesnt say anything about this.. should i be including the file in the php and filter the output to only display the timer and not the boolean?

i use the same method to display my paginations and it is not showing me any boolean result.. , is there something i dont know with the use of the include in a table ? because, to me i dont see any logical reasons , my paginations are also included in the html so there isnt much difference left that can be. in the include above , i didnt close the line inside the quotes with semi column or whatever is called the dot and coma , but once i did it didnt changed anything.

for real? but why would it be appearing if i dont use a return for this exact boolean ? by that i mean that i have been using many includes and this is the first time it is returning a boolean.

so i am trying to include the timer of the events in the user profile table and for some reason there is a number 1 appearing from nowhere but only if i include the whole countdown file if i just paste the code in my profile file it doesnt appear but i also cant get the timer to set a date. i would need to figure why this number one is spawning for no reasons since this is not even showing on the actual subscription page initially working with the subscription countdown file and everything is working well on this side.. this is just strange. <?php $stmt = $con->prepare("SELECT subscriptiondate, sub_status FROM subscriptions WHERE user_id = ?"); $stmt->bind_param('i', $_SESSION['id']); $stmt->bind_result($sub_date, $sub_status); $stmt->execute(); $stmt->fetch(); $stmt->close(); if (isset($sub_date)) { $subscription_time = $sub_date; } else if (!isset($sub_date)) { $subscription_time = '2022-11-05 23:59:59'; } $rem_time = $subscription_time; $target = $rem_time; // SET OR GET TARGET TIME HERE $targ = new DateTime($target); $target_time = $targ->format('g:ia'); $target_date = $targ->format('F jS Y'); $remain = ['days' => 0, 'hrs' => 0, 'mins' => 0, 'secs' => 0]; #$dt1 = new DateTime( $_GET['target'] ); $dt2 = new DateTime('now'); if ($targ > $dt2) { $diff = $targ->diff($dt2); $remain['days'] = $diff->days; $remain['hrs'] = $diff->h; $remain['mins'] = $diff->i; $remain['secs'] = $diff->s; } ?> <!DOCTYPE html> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html charset='utf-8'"> <link rel="stylesheet" href="donation-clash.css" type="text/css"> <title>Countdown</title> </head> <body class="body4"> <div class="timerall"> <p class="p3">Countdown to</p> <p class='target'><?=$target_time?> on <?=$target_date?> </p> <table> <tr> <th>Days</th><th>Hours</th><th>Mins</th><th>secs</th> </tr> <tr> <td class='remain' id='days'><?=$remain['days']?></td> <td class='remain' id='hrs'><?=$remain['hrs']?></td> <td class='remain' id='mins'><?=$remain['mins']?></td> <td class='remain' id='secs'><?=$remain['secs']?></td> </tr> </table> </div> </body> </html> so this above is the countdown file for the subscription. <div> <p>registered to the:</p> <table> <tr> <th>Quicky event</th><th>Bronze event</th><th> Silver event</th><th>Golden event</th><th>Vip event</th><th class="sub_th">monthly Subscription</th> </tr> <tr> <td><?=$quicky_status?></td><td><?=$bronze_status?></td> <td><?=$silver_status?></td><td><?=$golden_status?></td><td><?=$vip_status?></td><td class="sub_th"><?=$subscription?></td> </tr> <tr> <td><?=$totalparticipant5?></td><td><?=$totalparticipant?></td><td><?=$totalparticipant2?></td><td><?=$totalparticipant3?></td><td><?=$totalparticipant4?></td><td class="sub_th"><?=include '../subscribe/sub_countdown.php'?></td> </tr> </table> </div> and this above is the part of the profile page including the countdown file. in the image you can clearly see under the timer that there is a 1 that should not be there. if anyone can find the cause of that , please let me know because it makes about 3 to 4 days that i am stuck on that ...

what would it take to force a hacker to shut his computer? i know for a fact that the infinite loop i got myself in and the forced shutdown have wiped my active file, so thats something i was wondering if i could reproduce on the attacker machine?

it is just me wondering how i could launch a small and annoying counter attack on someone who is being attacking my website.. i know that my idea might not make sense for any of you , i am just wondering if it is doable to do something of this kind. the goal in this idea is not to damage the hacker's device but simply to annoy him and maybe give myself some time to actually take actions against a malicious attempt.

i was thinking about triggering the redirecting on the attacker toward another page that open in a new window and this next page do something but always redirect toward a copy of this same file before running the script and so on , each windows could have each their script running if he doesnt close them all. does it seem doable?.

sorry i am not the fastest one sometimes. finally got it , the thing is that i rarely use functions and this protected in front of the function is making this unexpected and expect the end of file but if i removed it , everything work fine by putting the sample in a function file including it and call the function and simply did $user_ip = the function call.

i changed a bit the code and removed the function to just keep the condition and whatever i am doing the result remain the same, it only gives a null value as ip..

after all the little errors fixed i now get a null result for the ip address variable

but dont worry i will keep it in mind

i tried to implement the code from gizmola but i would like to be sure to be doing this the right way. this is the part of the code updated else { echo 'Incorrect information!'; protected function getClientIP() { // This assumes a classic AWS Load Balancer is proxying if (filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) && !filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { $ip = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); return $ip[0]; } else { return $_SERVER['REMOTE_ADDR']; } } if (isset($ip[0])) { $stmt = $con->prepare("SELECT ip_address, num_login_attempts, ip_lock, tries_date FROM malicious_attempts WHERE ip_address = ?"); $stmt->bind_param('s', $ip[0]); $stmt->execute(); $stmt->bind_result($ip_address, $tries, $lock, $tries_date); $stmt->fetch(); $stmt->close(); } else if (isset($_SERVER['REMOTE_ADDR'])) { $stmt = $con->prepare("SELECT ip_address, num_login_attempts, ip_lock, tries_date FROM malicious_attempts WHERE ip_address = ?"); $stmt->bind_param('s', $_SERVER['REMOTE_ADDR']); $stmt->execute(); $stmt->bind_result($ip_address, $tries, $lock, $tries_date); $stmt->fetch(); $stmt->close(); } $current_date = date("Y-m-d h:i:sa"); $current_date = strtotime($current_date); $last_attempt = strtotime($tries_date); $time_btw_attempts = $current_date - $last_attempt; if ((isset($ip_address) && $tries < 10) { $tries = $tries + 1; $stmt = $con->prepare('UPDATE malicious_attempts SET num_login_attempts = ? WHERE ip_address = ?'); $stmt->bind_param('is', $tries, $ip_address); $stmt->execute(); $stmt->close(); header('location: index.php'); exit; } elseif (!isset($ip_address)) { $tries = 1; $stmt = $con->prepare("INSERT INTO malicious_attempts (ip_address, num_login_attempts) VALUES (?, ?)"); $stmt->bind_param('si', $ip_address, $tries); $stmt->execute(); $stmt->close(); header('location: index.php'); exit; } else if (((isset($ip_address) && $tries >= 10) && $time_btw_attempts < 20) { $stmt = $con->prepare('UPDATE malicious_attempts SET ip_lock = 1 WHERE ip_address = ?'); $stmt->bind_param('s', $ip_address); header("location: jail.php"); exit; } $stmt->close(); }

i see , so you are saying that if it was a normal user , the ip address would not be ::1 but a complete version of it and actually be the user ip ? that it is simply because i am working in xamp with my local server that i get this ip addres so if i store the ip address as a varchar 45 it should be ok?

i will have my hosting done with godaddy when i will be able to pay for the hosting . i already bought the domain name but apart of that i had still no idea about what i have to do server side. they work with the cpanel where i just have to upload my folder just as i am doing with xamp. thats about all i know.. i thought i could just get the user ip with a simple command but it doesnt seem like it 😂

thank you , i will keep this sample in my advices file and will go learn about those proxy and load balancer.

i understand thank you for your answers, but this ip address is the one of my server how can i do to get the actual user ip address?

it is supposed to insert the server[addr] as user ip address in database. am i doing this the wrong way to get the user ip address?

i have created myself a jail file sending the blocked ip addresses there , and all is working but the insert of the ip address when i am testing it , itwill only insert this ::1 as ip. ? anyone have an idea of what i am doing wrong? <?php session_start(); include 'connect_db2.php'; if (!isset($_POST['username'], $_POST['password'])) { // Could not get the data that should have been sent. exit('Please fill both the username and password fields!'); } // Prepare our SQL, preparing the SQL statement will prevent SQL injection. if ($stmt = $con->prepare('SELECT id, username, password, user_lock FROM accounts WHERE username = ?')) { // Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s" $stmt->bind_param('s', $_POST['username']); $stmt->execute(); // Store the result so we can check if the account exists in the database. $stmt->store_result(); if ($stmt->num_rows > 0) { $stmt->bind_result($id, $username, $password, $user_lock); $stmt->fetch(); } else if ($stmt->num_rows == 0) { // Incorrect password echo 'Incorrect username!'; exit; } if ($user_lock == 1) { $_SESSION['loggedin'] = FALSE; header('location: index.html'); session_destroy(); exit; } // Account exists, now we verify the password. // Note: remember to use password_hash in your registration file to store the hashed passwords. if (password_verify($_POST['password'], $password)) { // Verification success! User has logged-in! // Create sessions, so we know the user is logged in, they basically act like cookies but remember the data on the server. session_regenerate_id(); $_SESSION['loggedin'] = TRUE; $_SESSION['name'] = $username; $_SESSION['id'] = $id; header('location: home.php'); exit; } else { echo 'Incorrect information!'; $stmt = $con->prepare("SELECT ip_address, num_login_attempts, ip_lock, tries_date FROM malicious_attempts WHERE ip_address = ?"); $stmt->bind_param('s', $_SERVER['REMOTE_ADDR']); $stmt->execute(); $stmt->bind_result($ip_address, $tries, $lock, $tries_date); $stmt->fetch(); $stmt->close(); $current_date = date("Y-m-d h:i:sa"); $current_date = strtotime($current_date); $last_attempt = strtotime($tries_date); $time_btw_attempts = $current_date - $last_attempt; if (isset($ip_address) && $tries < 10) { $tries = $tries + 1; $stmt = $con->prepare('UPDATE malicious_attempts SET num_login_attempts = ? WHERE ip_address = ?'); $stmt->bind_param('is', $tries, $_SERVER['REMOTE_ADDR']); $stmt->execute(); $stmt->close(); header('location: index.php'); exit; } elseif (!isset($ip_address)) { $tries = 1; $stmt = $con->prepare("INSERT INTO malicious_attempts (ip_address, num_login_attempts) VALUES (?, ?)"); $stmt->bind_param('si', $_SERVER['REMOTE_ADDR'], $tries); $stmt->execute(); $stmt->close(); header('location: index.php'); exit; } else if ((($_SERVER['REMOTE_ADDR'] == $ip_address) && $tries >= 10) && $time_btw_attempts < 20) { $stmt = $con->prepare('UPDATE malicious_attempts SET ip_lock = 1 WHERE ip_address = ?'); $stmt->bind_param('s', $_SERVER['REMOTE_ADDR']); header("location: jail.php"); exit; } $stmt->close(); } } ?> this is my authentication file.

<?php $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}"; $apc_blocked_key = "{$_SERVER['SERVER_NAME']}~login-blocked:{$_SERVER['REMOTE_ADDR']}"; $tries = (int)apc_fetch($apc_key); if ($tries >= 10) { header("HTTP/1.1 429 Too Many Requests"); echo "You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes."; exit(); } $success = login($_POST['username'], $_POST['password']); if (!$success) { $blocked = (int)apc_fetch($apc_blocked_key); apc_store($apc_key, $tries+1, pow(2, $blocked+1)*60); # store tries for 2^(x+1) minutes: 2, 4, 8, 16, ... apc_store($apc_blocked_key, $blocked+1, 86400); # store number of times blocked for 24 hours } else { apc_delete($apc_key); apc_delete($apc_blocked_key); } ?> i am just trying to figure what to do or not do. this code is supposed to block an ip address after too many failed attempts and for each block the time blocked go up. i have put this code in the else condition of my login authentication file, if the login is not a success then it will do this. i was also thinking about writing an advanced option to allow the user to set a unique ip adress to be allowed to login their account. i would like to know if it is easy or possible to clone another user's ip adress? if so it wouldnt be a really good idea to make this option.

i also found a not so bad idea, which is to only allow the login for certain ip adresses which could be an option set by the user. in my opinion it would be the safest way unless i hit someone who knows how to clone an ip adress then it might be a good option but i feel like it is pretty easy for some to do that ...