jaymc Posted September 21, 2007 Share Posted September 21, 2007 If I have a script on a website which does 4 queries to the database and 3 updates, whats to stop a 'hacker' writting an automated script to GET that URL x amount of times per second and blowing my server to peices! Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/ Share on other sites More sharing options...
forumnz Posted September 21, 2007 Share Posted September 21, 2007 Ha ha very funny... I gotta see this answer Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352219 Share on other sites More sharing options...
jaymc Posted September 21, 2007 Author Share Posted September 21, 2007 Its true though, Anhything you put on a webserver is publically available Its just like leaving your keys ni your car, someone can come along, drive your car all over the places and pretty soon you have 50,000 miles on the clock! The way to prevent that would be to not leave your keys in the car and lock it Now, how can we do this on a website Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352221 Share on other sites More sharing options...
dbo Posted September 21, 2007 Share Posted September 21, 2007 I'd have to have more details, but you could only allow x amount of connections in x amount of time from a given ip address. Of course this can be spoofed, but anything you do helps some. Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352319 Share on other sites More sharing options...
MadTechie Posted September 21, 2007 Share Posted September 21, 2007 Depends on the setup, basic idea would be add a delay for example use a captcha before the data is sent Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352322 Share on other sites More sharing options...
Jessica Posted September 21, 2007 Share Posted September 21, 2007 Make sure there is validation. IE, how does the script know when to run? Do you manually access it? Put a password on it. Is it a cron job? Move it to a non-public folder. Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352323 Share on other sites More sharing options...
dbo Posted September 21, 2007 Share Posted September 21, 2007 I guess I was reading script as a normal page. ie User selects some options, queries run and stuff, page loads. Captchas are annoying, make sure it makes sense to do this.... if the users are logged in before this happens apply my method with username instead of ip address. Then ban the users for abuse if it continues. Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352328 Share on other sites More sharing options...
hvle Posted September 21, 2007 Share Posted September 21, 2007 sound like a flood control. I would capture and store IP along with time. Before running the query, check if the IP had passed an X amount of time. Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352344 Share on other sites More sharing options...
MmmVomit Posted September 21, 2007 Share Posted September 21, 2007 If you're using sessions, you could use the session data to restrict how often someone writes to the database. <?php define('POST_DELAY', 30); if(time() - $_SESSION['last_access'] > POST_DELAY) { // run update queries } else { echo "You must wait " . POST_DELAY . " seconds before submitting another post."; } $_SESSION['last_access'] = time(); ?> Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352345 Share on other sites More sharing options...
jaymc Posted September 21, 2007 Author Share Posted September 21, 2007 Im talking about any script For instance, the home page etc Think of this forum.. when you view the home page MYSQL is being executed What happens if 10 guys run a script that blasts this home page 40 times a second Thats 400 queries.. Im not talking about one major script I have, where as, any script on the site Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352346 Share on other sites More sharing options...
jaymc Posted September 21, 2007 Author Share Posted September 21, 2007 If you're using sessions, you could use the session data to restrict how often someone writes to the database. <?php define('POST_DELAY', 30); if(time() - $_SESSION['last_access'] > POST_DELAY) { // run update queries } else { echo "You must wait " . POST_DELAY . " seconds before submitting another post."; } $_SESSION['last_access'] = time(); ?> Thats the type of thing I was looking for Any other ideas? Not IP based though as people may be behind a router in school etc Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352348 Share on other sites More sharing options...
dbo Posted September 21, 2007 Share Posted September 21, 2007 We've offered several ways to do it... pick one. Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352351 Share on other sites More sharing options...
MmmVomit Posted September 21, 2007 Share Posted September 21, 2007 Thats the type of thing I was looking for Any other ideas? Not IP based though as people may be behind a router in school etc This isn't IP based, it's session based. The session ID is stored in a cookie, or passed via GET data, and is wholely independent of IP address. Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352363 Share on other sites More sharing options...
jaymc Posted September 21, 2007 Author Share Posted September 21, 2007 Yeh I know I was reffering to one of the other posts Cheers for info! Can a php script register a session? Do get a session my members have to login, someone running a script point at my url, if they dont have a session it will die(); them Can a script register a session by sending the appropriate headers etc? Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352364 Share on other sites More sharing options...
MmmVomit Posted September 21, 2007 Share Posted September 21, 2007 I'm going to send you to the PHP manual for that one. Everything you need to know about how sessions work should be in there. Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352366 Share on other sites More sharing options...
jaymc Posted September 21, 2007 Author Share Posted September 21, 2007 Dont worry, I'll re-read up on it Thanks for info guys, very useful Quote Link to comment https://forums.phpfreaks.com/topic/70135-security/#findComment-352453 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.