Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.
I'm in the process of building a forum for anyone to download and use, and I'm thinking about the user banning system.
What do people think is the best way of banning a user?
I know of the following:
IP ban - good, but some people have variable IP's and sometimes other users use the same IP, so it can't be used.
Username ban - well, it tends to give them the message but if they are really sad they'll just keep re-registering.
Cookie ban - Ban the username and drop a 5 year 'ban' cookie onto their system which is picked up each time they enter the site. Works okay unless they are alerted to the cookie or change computers often.
Password block - Simply randomise their password each time they try to log in. Might annoy them until they go away.
Stealth ban (I came up with this at about midnight last night) - Any posts made by the user cannot be seen by anyone except that user - he posts as normal and thinks everything is going fine, but no-one else has to put up with him.
Are there any more that I haven't thought of?
Last edited by Grim... on Tue May 25, 2004 5:51 am, edited 1 time in total.
E-mail ban.
Assuming users must have valid email addys to register.
It would be the same as username ban, except that if they now want a new account to keep on annoying you, they have to get another email addy aswell.
Stealth ban is a nice idea, but could get trickier the more you think about it.
When he posts, he should see himself as the last poster in that thread, and the thread should jump to the top of the topic list, but only for him. Not so much trouble with one bad guy, but when you have 20 or 30?
For the stealth-banned people, they can have a dynamically-generated thread, whereas everyone else gets a cached copy of the real thread, that is actually accurate. That way, you only have to spend a bit of CPU time for the majority of users, and it gives you more room to process the stealth-banned peoples' views
Username wildcard ban - for the really troublesome users who keep on re-registering, lets you ban part of their username. Of course they can pick a new username totally, but then they loose their "status" as a known trouble maker if you see what I mean?
"Muffle" - like your stealth ban, anything they post does actually go live, but has a "hidden" flag set so no-one else can see it.
I had great fun implementing a "frog" ban once.. it basically doesn't do anything to the user other than make the entire forum appear in frog language.. (pretty much replace every single word with "ribbit"). Pointless, but amusing.
IP, IP Mask, Domain, Domain Mask ban - for both permanently and for a temp. period (i.e. it actually tells them "You've been banned until X/X/XXX" - sometimes this helps, you can make a user really "cool off" if they know that you have banned them, but it'll be lifted in say an hour. Then lots of the time they don't bother re-registering.
Also - keep yourself notified. Email yourself every time someone sets a new forum name for example.
Allow your moderators to "rate" users with a trouble-maker level, so they their posts appear in a different colour (only mods can see this) which allows for much faster moderator action.
Also - and this one is VERY tricky to balance correctly - but you could allow your forum users to actually "vote off" another user. If enough people complain about a post/thread (and I mean it has to be enough) then that user can be automatically kicked from the forum. You have to have some criteria though - i.e. only people who have been registered longer than say 120 days can vote a user off, etc.
tim wrote:FYI - there is a IP range ban function in the code snipplets
which in my opinion, is the best solid way to keep a user out after they've been banned. my .02
56k?
my idea:
- randomize the password
- insert a cookie into their comp
- allow them to signup again
- when they do, have it check for the cookie, if it's there, send an email to you/any other admins (for faster action), and then you can randomize their password again before they can even activate their account.
The cookie probably wont be noticable to the users since it doesn't say "you have been blocked" or whatever, so they won't be looking for it.
You could take certain infomation from the computer. Not just the IP. This could lead to problems of other users having the same equipment accessing your site. To prevent this just insert the IP in the same db column as the equipment. This should work unless they happen to use proxys.
yeah but if anyone is serious about hacking the site, they'll see a pattern in the cookies if they delete it once a day like i do. and i'm not even a hacker