SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict
    Join Date
    Nov 2011
    Posts
    224
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securing a page that uses $_GET to launch a database query

    I have a page that uses the content of a index in the $_GET array to launch an mysql query. The query is secure (I hope so at least - it's escaped) but I am worried that this page is a potentially a vulnerability on my site because of the ability to make database queries so fast. Are there any suggestions as to how I might prevent abuse? I was thinking that to limit 100 queries per minute per IP, but this method would lead to a lot of extra database baggage to add. I could check referrers, but this is easily spoofed. The goal here is to stop mini DDOS attacks on this $_GET interpreter script.

  2. #2
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    You shouldn't really be implementing this sort of protection within the application, your infrastructure should be configured to protect you against this. Try looking at configuring your firewall, or possibly Apache's mod_security module; if Apache is your chosen HTTP server.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  3. #3
    SitePoint Addict
    Join Date
    Nov 2011
    Posts
    224
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's interesting. I really don't think a lot outside the php box often since I have little experience with Apache other than mod_rewrite. I'll check out mod_security. Do you have any general ideas about how to go about this, for example, does Apache have built in protection that I might set. Just looking for something to aim for while researching.

  4. #4
    SitePoint Zealot
    Join Date
    Jan 2011
    Location
    Portland
    Posts
    148
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well there is no absolute best but for an extra added security you can build a blacklist of control commands... then just loop through them for validation.
    coming soon sitejuju.com my new development portfolio


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •