Security

[jaymc]

If I have a script on a website which does 4 queries to the database and 3 updates, whats to stop a 'hacker' writting an automated script to GET that URL x amount of times per second and blowing my server to peices!

[forumnz]

Ha ha very funny... I gotta see this answer

[jaymc]

Its true though, Anhything you put on a webserver is publically available

 

Its just like leaving your keys ni your car, someone can come along, drive your car all over the places and pretty soon you have 50,000 miles on the clock!

 

The way to prevent that would be to not leave your keys in the car and lock it

 

Now, how can we do this on a website

[dbo]

I'd have to have more details, but you could only allow x amount of connections in x amount of time from a given ip address. Of course this can be spoofed, but anything you do helps some.

[MadTechie]

Depends on the setup,

basic idea would be add a delay for example use a captcha before the data is sent

 

[Jessica]

Make sure there is validation. IE, how does the script know when to run? Do you manually access it? Put a password on it. Is it a cron job? Move it to a non-public folder.

[dbo]

I guess I was reading script as a normal page. ie User selects some options, queries run and stuff, page loads. Captchas are annoying, make sure it makes sense to do this.... if the users are logged in before this happens apply my method with username instead of ip address. Then ban the users for abuse if it continues.

[hvle]

sound like a flood control.

 

I would capture and store IP along with time.  Before running the query, check if the IP had passed an X amount of time.

[MmmVomit]

If you're using sessions, you could use the session data to restrict how often someone writes to the database.

 

<?php
define('POST_DELAY', 30);

if(time() - $_SESSION['last_access'] > POST_DELAY)
{
  // run update queries
}
else
{
  echo "You must wait " . POST_DELAY . " seconds before submitting another post.";
}

$_SESSION['last_access'] = time();
?>

[jaymc]

Im talking about any script

 

For instance, the home page etc

 

Think of this forum.. when you view the home page MYSQL is being executed

 

What happens if 10 guys run a script that blasts this home page 40 times a second

 

Thats 400 queries..

 

Im not talking about one major script I have, where as, any script on the site

[jaymc]

If you're using sessions, you could use the session data to restrict how often someone writes to the database.

 

<?php
define('POST_DELAY', 30);

if(time() - $_SESSION['last_access'] > POST_DELAY)
{
  // run update queries
}
else
{
  echo "You must wait " . POST_DELAY . " seconds before submitting another post.";
}

$_SESSION['last_access'] = time();
?>

Thats the type of thing I was looking for

 

Any other ideas? Not IP based though as people may be behind a router in school etc

[dbo]

We've offered several ways to do it... pick one.

[MmmVomit]

Thats the type of thing I was looking for

 

Any other ideas? Not IP based though as people may be behind a router in school etc

This isn't IP based, it's session based.  The session ID is stored in a cookie, or passed via GET data, and is wholely independent of IP address.

[jaymc]

Yeh I know I was reffering to one of the other posts

 

Cheers for info!

 

Can a php script register a session? Do get a session my members have to login, someone running a script point at my url, if they dont have a session it will die(); them

 

Can a script register a session by sending the appropriate headers etc?

[MmmVomit]

I'm going to send you to the PHP manual for that one.  Everything you need to know about how sessions work should be in there.

[jaymc]

Dont worry, I'll re-read up on it

 

Thanks for info guys, very useful