Hi,
I’m trying to use the following so each time a login to my Administration area fails, it stores this data and then blocks the user for a bit.
Just for a bit of brute force protection.
$ip = $_SERVER['REMOTE_ADDR'];
mysql_query("INSERT INTO `spam` SET `ip`=INET_ATON('$ip'), `realip` = '$ip';");
// whenever somebody opens the page:
mysql_query("SELECT `timestamp` FROM `spam` WHERE ip=INET_ATON('$ip') ORDER BY `timestamp` DESC LIMIT 1;");
if (time() - $timestamp < 120) { // 2 minutes
die('test');
header("Location: http://www.mywebaddress.com/");
exit;
}
I tried twice in quick succession to login with incorrect credentials, but it doesn’t seem to execute the if statement.
It executes the INSERT INTO query correctly, and my SELECT query works fine.
Is there something obvious I’m missing in the IF statement?
Many thanks for any pointers.
You need ot be a little bit more explicit with your math.
<?php
#if timestamp value is less than 2 minutes ago
if((time() - $timestamp) < 120){
header(/** ..... **/);
exit;
}
Note parentheses.
hash
January 19, 2010, 10:25am
3
mysql_query won’t return $timestamp, you need to fetch that out of the result set.
Or perhaps maths o0 I would have thought subtraction would be evaluated before comparison?
$timestamp = time();
$timestamp += 10;
if(time()-$timestamp<0) { echo 'paradox'; } //paradox
I assumed the code was butchered to just show the IF implementation, Michael?
Yep. I’ve added the extra SQL in there now.
Thanks for the replies chaps.
I’ve now updated it to:
$ip = $_SERVER['REMOTE_ADDR'];
mysql_query("INSERT INTO `spam` SET `ip`=INET_ATON('$ip'), `realip` = '$ip';");
// whenever somebody opens the page:
$sql = "SELECT `timestamp` FROM `spam` WHERE ip=INET_ATON('$ip') ORDER BY `timestamp` DESC LIMIT 1;";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$timestamp = $row['timestamp'];
if ((time() - $timestamp) < 120) { // 2 minutes
header("Location: http://www.mywebaddress.com/");
exit;
// display error message: try again in 2 minutes
}
But still not getting redirected.
Any ideas?
Shouldn’t this…
$result = mysql_query($result);
…be…
$result = mysql_query($sql);
Typo?
Aaaah, just fixed that. Thanks for the find.
Is it worth changing my
if ((time() - $timestamp) < 120) { // 2 minutes
header("Location: http://www.mywebaddress.com/");
exit;
// display error message: try again in 2 minutes
}
to something else?
Thanks.
throw in some debugging, chances are your returned a null resultset from the database, so you end up asking…
if(time() - 0) < 120){
}
…which is never ‘true’.
Pop the following in your script (which would have found the previous typos), then check if you’re getting a resultset back.
error_reporting(-1);
ini_set('display_errors', true);
Always assume the worse will happen, just because it normally does.
The error reporting just threw up a couple of unrelated errors.
When I echo out the SQL I’m using, I get:
SELECT `timestamp` FROM `spam` WHERE ip=INET_ATON('my.ip.goes.here') ORDER BY `timestamp` DESC LIMIT 1;
and this returns one row from the database.
I think I may look for another solution in the meantime.
I think I may stick with something like this:
// log failed attempt, in case brute force
$ip = $_SERVER['REMOTE_ADDR'];
$sql = "INSERT INTO login_attempts VALUES ('','$email','$ip',now())";
mysql_query($sql);
// 8 failed attempts in past day
$sqler = "SELECT * FROM login_attempts WHERE ip = '$ip' AND date_added >= (NOW()-1)";
$reser = mysql_query($sqler);
if (mysql_num_rows($reser) > 5) {
header("Location: http://www.mywebaddress.com/");
exit;
}
but just change it so it’s in the past 5 minutes
Thanks again for all the help guys.
One thing to remember when dealing with IPs is that some ISPs will give a person a new IP address for nearly every page request.
Really? Yeesh, didn’t realise that.
Had heard about dynamic IPs. Had thought they maybe just generated new IPs for each “session”.
Is there a way around that then, any other data I could take from their computer?
Thanks for the tip.
Sorry for the confusion.