alexandre

i found this example of blocking an ip adress for an amount of time after a said amount of tries , i would like to know if it is looking good. <?php $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}"; $apc_blocked_key = "{$_SERVER['SERVER_NAME']}~login-blocked:{$_SERVER['REMOTE_ADDR']}"; $tries = (int)apc_fetch($apc_key); if ($tries >= 10) { header("HTTP/1.1 429 Too Many Requests"); echo "You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes."; exit(); } $success = login($_POST['username'], $_POST['password']); if (!$success) { $blocked = (int)apc_fetch($apc_blocked_key); apc_store($apc_key, $tries+1, pow(2, $blocked+1)*60); # store tries for 2^(x+1) minutes: 2, 4, 8, 16, ... apc_store($apc_blocked_key, $blocked+1, 86400); # store number of times blocked for 24 hours } else { apc_delete($apc_key); apc_delete($apc_blocked_key); }

just a question like that , if the ip adress is changing automatically, do i need to catch that or the page will reload if it changes. i dont have a vpn to test that and it is kinda just a wonder about what i should do in this situation. i would like to be able to see a simulation of a sophisticated attack on a website, and be able to see how this is done and what they be using to bypass the security. most of what i heard by now, was the use of the inputs for sql injection, or the use of a brute force attack.. cross-site scripting i am still unsure of what this can use or do apart from changing the output , there must be something more because i was probably hacked cause of a hack on a website , i received a mail telling that they have been hacked even if the passwords were hashed the attackers had access to informations, so i wonder what else can you use as tactic for insiding a server or get access to this information. a better question must be , what should i put in place to make a well sealed website in its whole.

thank you, thats what i was wondering about.

i was more talking about user agent of the users or the ip adresses

unless you was saying this because i asked if it was illegal to collect those informations .

maybe, how would i do that? are you talking about ddos attack there or is this something else?

dang i didnt realized, that for every atempts even if the ip adress is changing it wil store the new one and limit it as well so i think this seems good finally. sorry i always try to question everything.

in theory this is good but there are little chances that an attacker will not be hiding his ip adress, probably with a vpn changing of ip adress after some time, i dont know much about it but storing an ip adress would just protect against this ip adress. i am also not collecting any informations about my users , not even an email so it gets complicated for this reason. but when you say i need to collect those informations , isnt it ilegal to do this without the user consent, even if this user is someone trying to break your website?

rate limiting in like counting the attempts of login for a said period of time? this would not solve the problem if i still have to lock the account temporary. someone could just spam the login for another user in order to make this person unable to participate in example the competitive event, one could just do this and donate more to steal a place while the other would be unable to defend his place in the rank. what i was thinking is if there is an obvious amount of attempts saying it is an attack, i could simply make the input disapear for this session and display a message instead. if i could i would make the attacker session never dying so he would always come back to this same screen where he is unable to do anything. do you know a way to make a session never dying?

i am just wondering if there is one way better than the others to counter this kind of attack, i believe it is targeting a single account at a time, if i want to avoid locking the user account since their is no account recovery on my website, what would be my best options?

thats why now i was thinkijng about integrating a voucher manager protected by a password before you can access it. only problem is that i know that most of users will only be using the same password for their account and for the vouchers, thats what might compromise their account or vouchers , integrating a voucher manager would, in my opinion help to prevent that since the users would feel less scared about choosing complicated passwords if they knew it was saved for them somewhere. with a password manager and no recovery system what is there left to do to hack the user, it is protected with sessions id with up to 19 random digits. if your session id and unique name doesnt match it kick you out. all the inputs are filtered. i am trying to make it as safe as possible to be able to integrate a voucher manager since the beginning but even i am not sure about it until i will have put enough layers of security in place. i am also in the making of an admin panel , i can already lock a user account and log them out without possibility of logging back in if there is any need for it in a simple click or if they are locked and i need to unlock, the button is changing to unlock . pretty simple but useful if i notice anything strange with a user account. i was going to add a voucher panel from where i can monitor if needed. i forgot to say that i made the transaction system for the vouchers only. it is a one way transaction where a user send a voucher in a transaction, for doing so the user needs to enter the targeted user and enter his voucher code and password for this voucher. once the transaction is sent, the user cant cancel it or alter it in any way. i did this because i was scared that people would use this as a scam tool to make others believe they sent something and cancel before the receiver could redeem it. once the transaction is completed the voucher is redeemed and will remain unactive and locked and it is the same for the transaction itself. all of this is functional as it is. i still need to add a pin needed to enter before the user can create a voucher to avoid someone stealing the funds on the account if it was to be compromised.

yes , i have a hard time making compromises on the server side security but also for the users security. since i noticed that almost every hack i saw was being done via the recovery system of the sites, i opted for a no recovery at all. the voucher system is functional and users can recover a voucher as long as they will not lose the voucher's password and security pin wich is a 7 random digits generated when you create your voucher. the good thing is, if a user loses his account they can always redeem their vouchers in a new account as long as they do not lose the password and security pin the voucher is safe and the vouchers are not erased for historical value or even legal matters, only the status and a lock for even more secuirty is activated on the voucher as soon as it is sent in a transaction, once the lock is activated or the status of a voucher is 0, the voucher is unusable. also i collect zero personal informations, not even an email account since every site i saw is using this and as soon as your email is compromised everything else is because we all know that we use our email accounts for everything. thats why my website wont be offering an account recovery.. i tried to think to an alternative as you was saying but i will be strongly advising to be careful with the passwords and vouchers, without having any personal informations about a user i simply cant see how i could ensure security if i have no way to prove that this is them.

this is runned from reallusion but when i look at the program installed on my machine there is no reallusion .. a bit weird

is there a way i can look from where the process is coming from?

in fact i dont know what i was doing , so i guess it is normal to have it installed since i have tried a lot of things. i was just wondering why it would be running when i was not using it. probably running on the start of my laptop.

just trying to figure out if this is from me or some malicious program running this behind my back. i am using xamp and nothing else but phpmyadmin.

it all make sense , and i think that i didnt really set up things completely like that, however i decided to not let users upload images since it was just one more thing to help me identify the charities, it wasnt a necessity , i instead just ask for the country where the charity is registered and the exact name. for this purpose the images wasnt really necessary but i might let the users choose for a profile picture so this might come in handy at some point. but like you was saying about malicious attempts to break my code , i have a hard time with everything that can create even the smallest security hole. i really dont mind creating a almost static website if thats what it takes to avoid security issues. i already use the minimum of javascript lets say a sidebar uses javascript, and my global chat is working without being in connection with any database but uses javascript. this is my upload file that i was using to upload the images from users: <?php $target_dir = "uploads/"; $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]); $uploadOk = 1; $imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION)); if(isset($_POST["submit"])) { $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]); if($check !== false) { echo "File is an image - " . $check["mime"] . "."; $uploadOk = 1; } else { echo "File is not an image."; $uploadOk = 0; } } if (file_exists($target_file)) { echo "Sorry, file already exists."; $uploadOk = 0; } if ($_FILES["fileToUpload"]["size"] > 500000) { echo "Sorry, your file is too large."; $uploadOk = 0; } if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg" && $imageFileType != "gif" ) { echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed."; $uploadOk = 0; } if ($uploadOk == 0) { echo "Sorry, your file was not uploaded."; } else { if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) { header('location: ../admin_panel/admin-home.php'); exit; } else { echo "Sorry, there was an error uploading your file."; } } i am not sure that everything you said above is done there but i thought it was filtering it a bit.

i understand , thank you . and yes i know that i have to setup the uploads.

sorry i didnt get the notification of your answer. this brings me another question , if i let users upload images, to then store them in a folder with a path stored in a table in database, do the storage is handled by the hosting provider or do this still rely on my laptop storage? i never hosted a website that i programmed myself before so i am clueless about how this work.

if you prefer foundations registered with the governmental approval or something like that😅

i hope so i am using my own words to describe what i am trying to explain

i am building an admin dashboard page and this will be from where i will upload the images needed. i disapoint myself a bit , i wanted to allow users to register their legit and confirmed foundations so they can create their own "foundations profile page" and upload their own image for the front display. if i find the way to verify the foundations is it still the best way to store the images? i mean , if the file will be coming from the users , i dont know if it makes a difference.

i have this shopping cart feature that i integrated to my website and i noticed that the developer was storing the images in a imgs directory in the shopping cart directory and simply adding the name of the image file to the database, but i also saw that you can store images directly in database. what i want to do is a page to display the foundations's front presentations as a tiktok style vertical slideshow. it doesnt seem to be complicated to achieve if i dont want to make that swiping effect and just use the scrolling effect of a webpage, if i store the images in the database. a simple loop through all the images would display them all fine(if it is possible to do so). i could also make them clickable easily to lead to the selected foundation "profile page". i am just wondering if i should use one method or the other. maybe for storage capacity reasons or any other issues related with storing images in database.

i believe you now, it is just hard to get away from the laptop before i have fixed my issue, if i do go away i just feel like i am wasting time .. but all in all i appreciated your help.😄

dang thank you i dont know what i was thinking , and i might be tired .. how can someone be so blind 😂