cobusbo Posted August 30, 2014 Share Posted August 30, 2014 Hi I found a very old outdated script for temporary banning people. But I'm having some problems running the functions. First off here is my banning functions script named ip-ban-time-limit.php <?php // Published at: www.TakeTwoApps.com $ipLog='ip-log.txt'; // Your logfiles name here $timeout='0.01'; // How many hours to block IP $goHere='tik.php'; // Allowed pages name here $register_globals = (bool) ini_get('register_gobals'); if ($register_globals) $vis_ip = getenv(REMOTE_ADDR); else $vis_ip = $_SERVER['REMOTE_ADDR']; function recordData($vis_ip,$ipLog,$goHere) { $log=fopen("$ipLog", "a+"); fputs ($log,$vis_ip."][".time()."\n"); fclose($log); // The below header function was causing errors in apache //so I changed it to echo the script tag. //Header ("Location: $goHere"); exit(0); echo "<?php include('$goHere')?>"; exit(0); } function checkLog($vis_ip,$ipLog,$timeout) { global $valid; $ip=$vis_ip; $data=file("$ipLog"); $now=time(); foreach ($data as $record) { $subdata=explode("][",$record); if ($now < ($subdata[1]+3600*$timeout) && $ip == $subdata[0]) { $valid=0; echo "You have been banned from accessing this page. Try again in $timeout hours."; break; } } } checkLog($vis_ip,$ipLog,$timeout); if ($valid!="0") recordData($vis_ip,$ipLog,$goHere); ?> I wanted to add the file tik.php which contains a form to post underneath a chat script if the person isn't banned with the above script. so I changed the line echo "<?php include('$goHere')?>"; exit(0); from location.replace to the include function. Then I added require_once ( 'ip-ban-time-limit.php' ); on my index page <?php require_once('common.php'); checkUser(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html> <head> <title>Galaxy Universe Chat</title> <link href="style/style.css" rel="stylesheet" type="text/css" /> </head> <body><br> <div id="main"> <div class="caption">Galaxy Universe Chat</div> <div id="icon"> </div> <div id="result"> Hello <?php echo $_SESSION['userName']; ?> ! <br/> <div style="color:red"><b><p>Please keep it clean and in English or you will be banned!</p></b></div> <br> <?PHP include "./stringychat.inc.php"; require_once ( 'ip-ban-time-limit.php' ); ?> <br> <p><a href="index1.php">Refresh</a> | <a href="logout.php">Log Out</a></p> </div> <div id="source">Galaxy Wars chat @ cobusbo</div> </div> </body> But now I have the problem that every time I refresh my index page I'm getting banned as well. How can I change it so that I'm not getting banned every time I'm trying to refresh the page? Quote Link to comment Share on other sites More sharing options...
trq Posted August 30, 2014 Share Posted August 30, 2014 Hi I found a very old outdated script for temporary banning people. So why are you trying to use it? All of the above code needs to be thrown away. 2 Quote Link to comment Share on other sites More sharing options...
cobusbo Posted August 30, 2014 Author Share Posted August 30, 2014 So why are you trying to use it? All of the above code needs to be thrown away. Because it's the only example on how to implement timed banning I could find. I would have loved to add it to a MySQL table im not sure how to implement it. And with the above code it's basically standalone. Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted August 30, 2014 Share Posted August 30, 2014 The problem with your code is you have not told it who to ban. It just blindly records every visitors ip and does not allow them to access the page again until 36 seconds have passed. You need to alter the code so it only blocks the visitors who you want to ban. Quote Link to comment Share on other sites More sharing options...
cobusbo Posted August 30, 2014 Author Share Posted August 30, 2014 The problem with your code is you have not told it who to ban. It just blindly records every visitors ip and does not allow them to access the page again until 36 seconds have passed. You need to alter the code so it only blocks the visitors who you want to ban. Ok I was trying to specify who to kick via this page and form for the administrator <? include "./emoticon_replace1.php"; if ($_POST["DeletePost"]) { $id = $_POST["id"]; $query = "DELETE FROM ".$dbTable." WHERE id='".$id."'"; mysql_query($query); echo "ID removed from system: ".$id; } if ($_POST["BanIP"]) { $IP_To_Add = $_POST["ip"]; if(eregi("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$", $IP_To_Add)) { $sql = "INSERT INTO ".$IPBanTable." (ip) VALUES (\"$IP_To_Add\")"; $result = mysql_query($sql); } else { echo "Error: Not a valid IP: ".$IP_To_Add; } } if ($_POST["purge"]) { $query = "TRUNCATE TABLE ".$dbTable; mysql_query($query); echo "StringyChat purged"; } if(!$_POST["update"] || !$_POST["StringyChat_name"] || !$_POST["StringyChat_message"]) { } else { $id = $_POST["id"]; $name = $_POST["StringyChat_name"]; $message = $_POST["StringyChat_message"]; include("emoticon_replace.php"); $query = "UPDATE ".$dbTable." SET StringyChat_name='$name', StringyChat_message='$message' WHERE id='".$id."'"; $result = mysql_query($query, $db) or die("Invalid query: " . mysql_error()); } if ($_POST["EditPost"]) { $id = $_POST["id"]; $result = mysql_query("SELECT * FROM ".$dbTable." WHERE id='".$id."'", $db); $myrow = mysql_fetch_array($result); ?> <form name="StringyChat_form" method="POST" action="?mode=postman"> Name:<br> <input name="StringyChat_name" class="StringyChatFrm" type="text" size="20" maxlength="<? echo $name_size; ?>" value="<? echo $myrow["StringyChat_name"]?>"> <br> Message:<br> <textarea name="StringyChat_message" class="StringyChatFrm" cols="20" rows="4"><? echo $myrow["StringyChat_message"]?></textarea> <br> <input type="hidden" name="id" value="<? echo $id ?>"> <input name="update" class="StringyChatFrm" type="submit" value="Update"> </form> <? } ?> <a href="<? echo $_SERVER['REQUEST_URI']; ?>&m=purge">Purge StringyChat</a><br> <br> <? // Load up the last few posts. The number to load is defined by the "ShowPostNum" variable. $result = mysql_query("SELECT * FROM ".$dbTable." ORDER BY StringyChat_time DESC",$db); while ($myrow = mysql_fetch_array($result)) { $msg = $myrow["StringyChat_message"]; $msg = strip_tags($msg); $msg = eregi_replace("im#([a-z]{3})", "<img src=\"/stringychat/images/\\1.gif\" alt=\"emoticon\">",$msg); printf("<div class=\"StringyChatItem\"><h4>%s<br>\n", $myrow["StringyChat_name"]); printf("%s</h4>\n", date("H:i - d/m/y", $myrow["StringyChat_time"])); printf("%s</div>\n", $msg); ?> <form name="form<? echo $myrow["id"];?>" method="post" action="?mode=postman"> <input name="id" type="hidden" value="<? echo $myrow["id"];?>"> <input name="ip" type="hidden" value="<? echo $myrow["StringyChat_ip"];?>"> <input name="EditPost" type="submit" id="EditPost" value="Edit"> <input name="DeletePost" type="submit" id="DeletePost" value="Delete"> <input name="BanIP" type="submit" id="BanIP" value="Ban <? echo $myrow["StringyChat_ip"];?>"> <input name="1" type="submit" id="1" value="Kick <? echo $myrow["StringyChat_ip"];?> for 1 hour "> <input name="1d" type="submit" id="1d" value="Kick <? echo $myrow["StringyChat_ip"];?> for 24 hours "> <input name="7d" type="submit" id="7d" value="Kick <? echo $myrow["StringyChat_ip"];?> for 7 days "> </form> <? } ?> via the input buttons 1, 1d, 7d since I want to make 3 different Banning option 1 hour, 1 day and 7 days. What should I do to change it? Quote Link to comment Share on other sites More sharing options...
cobusbo Posted August 30, 2014 Author Share Posted August 30, 2014 The problem with your code is you have not told it who to ban. It just blindly records every visitors ip and does not allow them to access the page again until 36 seconds have passed. You need to alter the code so it only blocks the visitors who you want to ban. Ok I tried to do the following in <?php // Published at: www.TakeTwoApps.com include("chat_code_header.php"); require_once('common.php'); $ipLog='ip-log.txt'; // Your logfiles name here $timeout='0.01'; // How many hours to block IP $goHere='tik.php'; // Allowed pages name here $register_globals = (bool) ini_get('register_gobals'); if ($register_globals) $vis_ip = $k2; else $vis_ip = $k2; function recordData($vis_ip,$ipLog,$goHere) { $log=fopen("$ipLog", "a+"); fputs ($log,$vis_ip."][".time()."\n"); fclose($log); // The below header function was causing errors in apache //so I changed it to echo the script tag. //Header ("Location: $goHere"); exit(0); echo "<?php include('$goHere')?>"; exit(0); } function checkLog($vis_ip,$ipLog,$timeout) { global $valid; $ip=$vis_ip; $data=file("$ipLog"); $now=time(); foreach ($data as $record) { $subdata=explode("][",$record); if ($now < ($subdata[1]+3600*$timeout) && $ip == $subdata[0]) { $valid=0; echo "You have been banned from accessing this page. Try again in $timeout hours."; break; } } } checkLog($vis_ip,$ipLog,$timeout); if ($valid!="0") recordData($vis_ip,$ipLog,$goHere); ?> I changed the lines $register_globals = (bool) ini_get('register_gobals'); if ($register_globals) $vis_ip = getenv(REMOTE_ADDR); else $vis_ip = $_SERVER['REMOTE_ADDR']; to $register_globals = (bool) ini_get('register_gobals'); if ($register_globals) $vis_ip = $k2; else $vis_ip = $k2; an in my admin script <? include "./emoticon_replace1.php"; if ($_POST["DeletePost"]) { $id = $_POST["id"]; $query = "DELETE FROM ".$dbTable." WHERE id='".$id."'"; mysql_query($query); echo "ID removed from system: ".$id; } if ($_POST["BanIP"]) { $IP_To_Add = $_POST["ip"]; if(eregi("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$", $IP_To_Add)) { $sql = "INSERT INTO ".$IPBanTable." (ip) VALUES (\"$IP_To_Add\")"; $result = mysql_query($sql); } else { echo "Error: Not a valid IP: ".$IP_To_Add; } } if ($_POST["purge"]) { $query = "TRUNCATE TABLE ".$dbTable; mysql_query($query); echo "StringyChat purged"; } if(!$_POST["update"] || !$_POST["StringyChat_name"] || !$_POST["StringyChat_message"]) { } else { $id = $_POST["id"]; $name = $_POST["StringyChat_name"]; $message = $_POST["StringyChat_message"]; include("emoticon_replace.php"); $query = "UPDATE ".$dbTable." SET StringyChat_name='$name', StringyChat_message='$message' WHERE id='".$id."'"; $result = mysql_query($query, $db) or die("Invalid query: " . mysql_error()); } if ($_POST["EditPost"]) { $id = $_POST["id"]; $result = mysql_query("SELECT * FROM ".$dbTable." WHERE id='".$id."'", $db); $myrow = mysql_fetch_array($result); ?> <form name="StringyChat_form" method="POST" action="?mode=postman"> Name:<br> <input name="StringyChat_name" class="StringyChatFrm" type="text" size="20" maxlength="<? echo $name_size; ?>" value="<? echo $myrow["StringyChat_name"]?>"> <br> Message:<br> <textarea name="StringyChat_message" class="StringyChatFrm" cols="20" rows="4"><? echo $myrow["StringyChat_message"]?></textarea> <br> <input type="hidden" name="id" value="<? echo $id ?>"> <input name="update" class="StringyChatFrm" type="submit" value="Update"> </form> <? } ?> <a href="<? echo $_SERVER['REQUEST_URI']; ?>&m=purge">Purge StringyChat</a><br> <br> <? // Load up the last few posts. The number to load is defined by the "ShowPostNum" variable. $result = mysql_query("SELECT * FROM ".$dbTable." ORDER BY StringyChat_time DESC",$db); while ($myrow = mysql_fetch_array($result)) { $msg = $myrow["StringyChat_message"]; $msg = strip_tags($msg); $msg = eregi_replace("im#([a-z]{3})", "<img src=\"/stringychat/images/\\1.gif\" alt=\"emoticon\">",$msg); printf("<div class=\"StringyChatItem\"><h4>%s<br>\n", $myrow["StringyChat_name"]); printf("%s<p>\n",$myrow["StringyChat_ip"],"%s</p>\n"); printf("%s</h4>\n", date("H:i - d/m/y", $myrow["StringyChat_time"])); printf("%s</div>\n", $msg); if (isset($_POST['$k2'])) { echo $myrow["StringyChat_ip"] return; } ?> <form name="form<? echo $myrow["id"];?>" method="post" action="?mode=postman"> <input name="id" type="hidden" value="<? echo $myrow["id"];?>"> <input name="ip" type="hidden" value="<? echo $myrow["StringyChat_ip"];?>"> <input name="EditPost" type="submit" id="EditPost" value="Edit"> <input name="DeletePost" type="submit" id="DeletePost" value="Delete"> <input name="BanIP" type="submit" id="BanIP" value="Ban <? echo $myrow["StringyChat_ip"];?>"> <input name="$k2" type="submit" id="1" value="Kick <? echo $myrow["StringyChat_ip"];?> for 1 hour "> <input name="1d" type="submit" id="1d" value="Kick <? echo $myrow["StringyChat_ip"];?> for 24 hours "> <input name="7d" type="submit" id="7d" value="Kick <? echo $myrow["StringyChat_ip"];?> for 7 days "> </form> <? } ?> i added the function if (isset($_POST['$k2'])) { echo $myrow["StringyChat_ip"] return; } but still every time I refresh my index page I get banned... Any help please... Quote Link to comment Share on other sites More sharing options...
Solution Ch0cu3r Posted August 30, 2014 Solution Share Posted August 30, 2014 (edited) The changes you made will have no effect because the form in your admin script is not being submitted to your ip-ban-time-limit.php script! The changes you need to make to both scripts will be In the admin script, when the ban form is submitted you need to an add a new entry containing the following information into the ip-log.txt file the users ip address and the timestamp for when the ban will be lifted. For example if the user is band for 1 hour use strtotime('+1 hour') to generate the timestamp for when the ban is lifted. See strtotime for more info The ip-ban-time-limit.php script will need to be written from scratch. The steps you need to take here are get the user ip check to see if the ip is listed in ip-log.txt if it is found in the file. Check to see if the current time is greater than the recorded timestamp restrict access if sufficient time has not passed. only when sufficient time has passed you can remove the users ip from ip-log.txt Edited August 30, 2014 by Ch0cu3r 2 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 31, 2014 Share Posted August 31, 2014 Before you jump to the technical details, I think the concept itself needs a reality check. Do you honestly believe that anybody on the Internet will wait 7 days for you to unban their IP address? I don't think so. Chances are they're back in 7 seconds with a new IP. I mean, even the dumbest script kiddie knows how to use a proxy, use ToR or simply reset their router. At the same time there's a huge risk of blocking legitimate users just because they happen to share their IP address with somebody else. If you hit a big proxy or VPN, you'll lock out hundreds or thousands of people who haven't done anything. Is your site so incredibly popular that you can live with that? I understand why programmers like IP bans: They're easy, they're cheap, and they give you the illusion of “doing something”. But I fear they solve no problems while creating new ones. I'm sure there's a better approach. What are you trying to do? Is this a public chat where you want to block certain participants? Then I'd use a cookie-like mechanism. Of course you shouldn't use actual cookies, because those are a bit too obvious. But if you search for Evercookie, you'll find a lot of more creative techniques. Another interesting concept is the hellban: Instead of actually blocking the user, you just ignore their messages. So while they believe they're still taking part in the discussion, they cannot be seen by anybody. Of course no technique is perfect. Anybody with a decent level of knowledge can circumvent any ban. What you can and should do, however, is keep the average troll busy without locking out half of the world's population. 1 Quote Link to comment Share on other sites More sharing options...
cobusbo Posted August 31, 2014 Author Share Posted August 31, 2014 The changes you made will have no effect because the form in your admin script is not being submitted to your ip-ban-time-limit.php script! The changes you need to make to both scripts will be In the admin script, when the ban form is submitted you need to an add a new entry containing the following information into the ip-log.txt file the users ip address and the timestamp for when the ban will be lifted. For example if the user is band for 1 hour use strtotime('+1 hour') to generate the timestamp for when the ban is lifted. See strtotime for more info The ip-ban-time-limit.php script will need to be written from scratch. The steps you need to take here are get the user ip check to see if the ip is listed in ip-log.txt if it is found in the file. Check to see if the current time is greater than the recorded timestamp restrict access if sufficient time has not passed. only when sufficient time has passed you can remove the users ip from ip-log.txt Thank you I decided to move to MySQL database rather Before you jump to the technical details, I think the concept itself needs a reality check. Do you honestly believe that anybody on the Internet will wait 7 days for you to unban their IP address? I don't think so. Chances are they're back in 7 seconds with a new IP. I mean, even the dumbest script kiddie knows how to use a proxy, use ToR or simply reset their router. At the same time there's a huge risk of blocking legitimate users just because they happen to share their IP address with somebody else. If you hit a big proxy or VPN, you'll lock out hundreds or thousands of people who haven't done anything. Is your site so incredibly popular that you can live with that? I understand why programmers like IP bans: They're easy, they're cheap, and they give you the illusion of “doing something”. But I fear they solve no problems while creating new ones. I'm sure there's a better approach. What are you trying to do? Is this a public chat where you want to block certain participants? Then I'd use a cookie-like mechanism. Of course you shouldn't use actual cookies, because those are a bit too obvious. But if you search for Evercookie, you'll find a lot of more creative techniques. Another interesting concept is the hellban: Instead of actually blocking the user, you just ignore their messages. So while they believe they're still taking part in the discussion, they cannot be seen by anybody. Of course no technique is perfect. Anybody with a decent level of knowledge can circumvent any ban. What you can and should do, however, is keep the average troll busy without locking out half of the world's population. Thank You I saw I can use another Method to block people Quote Link to comment Share on other sites More sharing options...
lawless Posted August 31, 2014 Share Posted August 31, 2014 [...] I understand why programmers like IP bans: They're easy, they're cheap, and they give you the illusion of “doing something”. But I fear they solve no problems while creating new ones.[...] Yes, IP bans are not really working. If you think of the mobile phone network where a LOT of users share the same IP, you are asking for trouble. The concept of keeping certain people out is nothing more than the concept of letting certain people in. With an upright registration process ((self-made) captcha, e-mail activation) and and good user management are the keys that you are looking for. Anonymous or in that case unregistered users should only have access where they can not inflict any damage on your project. But keep in mind, that every security measure can be bypassed, set on the skill levels of the uninvited guest. So don't make it too hard for your upright users to use your project. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.