Flood protection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Flood protection

Post by kkonline »

I have a form which send data in the db, I am using a text number as verification, also i am using a flood protection script i got on net, it logs ip and the time in db; and then works.

IP addresses are easiest to spoof using simple techniques..

Now if user presses the back button on browser the text number (captcha) remains same and can submit the form again after 10 secs. period of flooding. How to prevent??
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Store a timestamp in $_SESSION.
Compare timestamps with time() function on submission.

Also, to make the captcha image generate a new image, add a random string to the page that generates the image, to prevent caching.

Code: Select all

echo '<img src="captcha.php?randomString=' . md5(microtime()) . '" alt="Captcha Image" />';
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Post by kkonline »

scottayy wrote:Store a timestamp in $_SESSION.
Compare timestamps with time() function on submission.
how will that help because by the time i compare time on the processing page it will not match.

I am not clear what exactly you mean by comparing timestamp ;

should i store time in session on the form and then send it as hidden value to processing page and then compare
One more thing, if the user presses back button then what will be value in the session the CURRENT value or the value that was posted previously?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Don't compare with time()... scottayy was thinking right, but probably just ended up writing it wrong.

You have a few choices (that I'd recommend). One of them is to do as scottayy said with comparing some sort of unique id such as the timestamp with the last submitted form. Save a hidden field with the unique id of that particular submission then save them into the session. If it encounters the same unique id in the form that is in the session, it is likely a duplicate submission. Otherwise, save the new unique id into the session.

The downside of that approach is when someone wants to change the information that they entered into a form by traveling back to it via the back button and altering it. In that case, an interesting way to do it would be to actually compare the form values using the session. This would be done by imploding the $_POST array or making a foreach loop that implodes the array with both the keys and values included (to avoid glitches).

The last approach is to simply stop them from being able to use the back button to re-submit the data. This can be done with the 'Location' header by technically "replacing" the page with the posted information with a different page (or itself).
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Post by kkonline »

scottayy wrote: Also, to make the captcha image generate a new image, add a random string to the page that generates the image, to prevent caching.

Code: Select all

echo '<img src="captcha.php?randomString=' . md5(microtime()) . '" alt="Captcha Image" />';
To generate the code i use

Code: Select all

<?
  error_reporting(E_WARNING);
  if(function_exists('session_start')) session_start();

  $name = "secCode";          // session variable name

  srand((double) microtime() * 1000000);
  $secCode = '';

  for($i = 0; $i < 6; $i++) $secCode .= rand(0, 9);
  $_SESSION[$name] = $secCode;

  echo $_SESSION[$name];
?>
in the processing page i use

Code: Select all

if(isset($_POST['secCode']) && isset($_SESSION['secCode']) && $_POST['secCode'] == $_SESSION['secCode'] ) 
      		{
		      // correct security code, now validate name and other field
}
i am using text based number display rather than image (as images are cached by browser) now on pressing the back button i still get the same text code display ...
as quoted by you "add a random string to the page that generates the image, to prevent caching." how to implement on the script i am using?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

kkonline wrote:i am using text based number display rather than image (as images are cached by browser) now on pressing the back button i still get the same text code display ...
That destroys the whole purpose of the catpcha, you know.
kkonline wrote:as quoted by you "add a random string to the page that generates the image, to prevent caching." how to implement on the script i am using?
He's saying that if you add a random string to the end of *any* URL, and it will prevent the caching from showing the same data.
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Post by kkonline »

ok, now i understand what you and scottayy mean. However when i write

Code: Select all

<?php    echo "<img src='/includes/seccode.inc.php?randomString=' . md5(microtime()) . '' width='71' height='21' align='absmiddle'>" ?></td>
to append a random string on the secure code (captcha script) in the SOURCE CODE i get

the following

Code: Select all

<img src='/includes/seccode.inc.php?randomString=' . md5(microtime()) . '' width='71' height='21' align='absmiddle'></td>
rather than the actual value of randomstring which should be appended.

What is the problem with the code?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Notice how the "code" is red? That usually means it's apart of the string.
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Post by kkonline »

feyd wrote:Notice how the "code" is red? That usually means it's apart of the string.
feyd i can understand that the code has some probelm, can you help me fix it or write the correct way.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I told you what's wrong with the code. You need to figure out the fix yourself because I'm pretty sure you've been given links to the pages concerning your problems with strings before.
Post Reply