What is Digg?79 Comments
- hello2usir, on 10/12/2007, -2/+39This has to be one of the most worthless "advanced tutorials" I've ever seen hit the front page.
Not only is this the wrong way to go about implementing a banning system, but the source itself is crap.
This line made me laugh: "I have not tested this code, but it should work. IF there are any errors it is just some little things like semicolons or quotes."
And the fact that this made the front page makes me weep for humanity. - synt4x, on 10/12/2007, -2/+37This is silly -- people constantly try to do in PHP what is vastly easier to do at the server level. Just about every Apache install has mod_access enabled, just shove into a .htaccess (or httpd.conf)
Deny From 1.2.3.4
Deny From 2.3.4.5/24
etc.
Just use the easiest tool for the job. - Jeconais, on 10/12/2007, -1/+34PHP is a good language, honest, but this sort of thing doesn't help.
1) the obvious security hole.
addban($ip,$_POST[reason],$_POST[legnth]);
$insert = mysql_query("INSERT INTO `banned` (`ip`,`time`,`long`,`reason`) VALUES ('$ip', '$time', '$legnth', '$reason')") or die("Could not add ban.".mysql.error()."");
We're taking two super-globals here and pasting them directly into a MySQL query. BAD IDEA - mysql_real_escape_string() is your friend, use it (this is where good classes and abstraction layers come into practice, let your DB class escape all data on input and never have to worry about it again.)
Yes, you do get basic escaping of key characters if you have magic_quotes turned on - but relying on this is a bad idea.
2) The E_NOTICE style - using array[key] throws an E_NOTICE that basically states it can't find 'key' as a defined constant and it presumes the string. Not necessarily a problem, until you accidentally use a predefined constant as your key, and things break.
If you want to use an array inside a string, and it throws an error, use $s="hello {$array['name']}";
3) As others have pointed out, there is no wildcard support - if you want to ban someone, and you don't mind accidentally banning innocents, you need to be able to ban ip address ranges that the isp uses, and hope that your idiot isn't clever enough to use a proxy or any other way around a simple IP ban - Switch22, on 10/12/2007, -1/+32"I have not tested this code, but it should work."
- rationalist, on 10/12/2007, -8/+35"I have not tested this code, but it should work. IF there are any errors it is just some little things like semicolons or quotes."
AKA Bush administration policy applied to software engineering. - quine, on 10/12/2007, -2/+22Agreed, I'd have to say this is a pretty darned dumb idea. Also, lets not forget about large proxies either -- there's nothing like blinking out a large swath of your customer base because you targeted an AOL IP.
- thetanbark, on 10/12/2007, -1/+21Um... htaccess does this, and probably much faster than PHP.
http://www.webmasterworld.com/forum92/5750.htm - r00tus3r, on 10/12/2007, -1/+17"I have not tested this code" ... wtf ... do I LOOK like a guinea pig to you!!!???
- portis, on 10/12/2007, -3/+19Why bother banning IPs? If you have stuff to hide, use authentication instead.
- DDoSAttack, on 10/12/2007, -2/+13A good start but, as it is suggested in one of the comments, it doesn't take into account dynamic ip addys.
- Zellius, on 10/12/2007, -0/+9A number of flaws have been pointed out, and here's one more. The admin interface for this is not protected in any way - anyone can access banadmin.php?x=add and add any bans they want. And the funny part is that the admin interface doesn't do any ban checks, so if you get banned, you can just go to banadmin.php?x=delete and delete your own ban.
Worthless. - se7en11, on 10/12/2007, -3/+10"I have not been president before, but my father was. IF there are any issues it is just some little things like WMD or terrorist."
- pcgeek101, on 10/12/2007, -1/+8If you're doing IP blocking, don't do it in your freaking *code* ... do it at the firewall level or webserver configuration.
- gharding, on 10/12/2007, -3/+10PHP isn't going anywhere. And how exactly do you compare Ruby on Rails, a framework, to PHP, a language?
- dpdesign, on 10/12/2007, -0/+6He has spelled "length" wrong consistently throughout the whole code (as "legnth") and at one point even uses it inappropriately:
$r=mysql_fetch_array($q);
die("You have been banned from this website until $r[legnth]. If you feel this is in error, please contact the webmaster.");
There is no $r[legnth] (or, as already been stated, more accurately {$r['legnth']}). The column he was looking for was {$r['long']}. This seems a little more significant than a missing-semicolon error to me.
Furthermore:
$q = mysql_query("SELECT * FROM `banned` WHERE `ip` = '$ip' LIMIT 1");
There are five columns in the database; why select them all if he's only going to use one?
And while I'm tearing apart this same block of code, what's with this, appearing immediately after the above-posted line?
$get = mysql_num_rows($q);
// if found
if ($get == "1")
If the people who use this script (after fixing all its syntax errors, at the minimum) are as incompetent as the script author, I would not be surprised if the same IP is added more than once (and this script does nothing to stop that). If an IP is duplicated in the database here, the ban check will fail.
This script is a load of crap and most certainly not "advanced" as he claims it to be. It is not even syntactically correct, let alone having proper methodology and design paradigms.
The guy may be trying to be helpful to newbies, but all he's really doing is screwing them over with bad code and bad programming practices. I'm sure stuff he's done has wound up on TheDailyWTF before. Consequently, I have buried this in an effort to sweep the mess under the carpet, so to speak, and save the newbies from this rubbish code. - dragonmantank, on 10/12/2007, -0/+6Buried for the line: "I have not tested this code, but it should work. IF there are any errors it is just some little things like semicolons or quotes." Way to give a tutorial on something that you don't even know if it works. If you can't take 10 seconds to test this, why should I care?
- tuartboy, on 10/12/2007, -0/+6I think it's better to do this at the physical level. When I want to ban someone I run out to their place with a shovel and cut their connection.
100% effective and 0% overhead. - f00xx0riz3r, on 10/12/2007, -1/+6Next up: How to ban stupid articles from appearing on digg. IN PHP!!
- Jeffrey903, on 10/12/2007, -1/+6At least they consistently misspelled "legnth"
- Datrio, on 10/12/2007, -1/+6Oh yeah genius, query the database on every page refresh, this is just the best thing you can do.
If you need something as simple as that guy posted (as in, no dynamic IPs, no proxies, etc.) just include at the beggining of every page a file called "bans.php", and put in it:
switch($_SERVER['REMOTE_ADDR']) {
case "127.0.0.1":
case "255.255.255.255":
// and so on
die("banned");
} - inactive, on 10/12/2007, -1/+6Agreed. And you can even easily ban people from specific folders, etc
< Directory "/home/paul/*/public_html/protected_directory" >
Order Allow,Deny Allow from all
Deny from xxx.xxx.xxx.xxx
< / Directory > - inactive, on 10/12/2007, -1/+5Well, I screwed up that directory name.
It should say "/home/*/public_html/protected_directory"
It's too early. - DoubtfulSalmon, on 10/12/2007, -2/+6@ justgeorge:
Idiot. Dugg down, blocked. Please have someone let me know when you die so I can piss on your grave. - fLUx1337, on 10/12/2007, -0/+4Yep, a pile of rubish......waste of time when I could use htaccess!
- tonto69, on 10/12/2007, -0/+3I agree...this has helped me in blocking Nigerian scammers from my site.
- Charlotte_Web, on 10/12/2007, -2/+5The answer is simple...
1) buy server iron from Dell with redundant everything
2) spend months and thousands of $$$ developing website
3) disconnect ethernet cable.
Voila, perfect security. - portis, on 10/12/2007, -3/+6Or just NOT have a website in the first place.
- Adrianc333, on 10/12/2007, -0/+3How does stuff like this get on the frontpage?
There are thousands of tutorials like this. - cryptoknight, on 10/12/2007, -0/+2I actually use something similar to this for form submission to prevent people from mass spamming (put in garbage click submit press back click submit) i have tried using capcha's in the past but it simply does not deter most idiots i have found that by putting a 10 minute ban on the ip then also checking for more than 5 posts in an hour (then ban for 24) works great!
- dpdesign, on 10/12/2007, -0/+2I caught one other thing while proofreading my post but missed the edit window (damn me for being so verbose): mysql_num_rows(..) returns an int. Why is he wasting processor time having PHP cast it to a string when he checks it in the next conditional? That's just retarded. Ugh.
- jues, on 10/12/2007, -2/+4Why is this man getting dugg down? He's perfectly correct, at least use mysql_real_escape_string if you are going to do inserts into a MySQL DB.
Not to mention that ban data should be stored in a flat file (xml document, etc) - what's the point of putting a massive DB overhead on such trivial information. - inactive, on 10/12/2007, -1/+3@diecastbeatdown
I have never in my life heard of a host that didn't let you create .htaccess files. - onionizer, on 10/12/2007, -1/+3issue #1: If I want a new IP, wich in my case is assigned dynamically, I just have to disconnect-reconnect. et voilà.
issue #2: Even if my isp gives me only a static IP, what happens if I'm using a proxy, or one of those anonymizer sites?
this script may be working for banning bots, but not people. - stubcn75, on 10/12/2007, -0/+2Oh dear, it gets worse. I had a look at his own website (found from his profile in the forum). Have a look in his ,cough, portfolio section and click on the 'visit' link for 3VO.co.uk
http://mikeroquemore.com/portfolio/ (Not safe for work)
Disgruntled client maybe ? - insovietrussia, on 10/12/2007, -2/+4Exactly, dumping a whole lot of users through inadvertently banning a transparent proxy (ala Wikipedia) probably isn't a great idea.
One useful application of this setup that I have seen before is banning IP ranges from certain countries, though I can't think of a practical reason for doing this off hand, I'm sure it could be handy in certain situations. - rdivilbiss, on 10/12/2007, -0/+2Worthless and stupid! Block IPs at the server not in website script.
- HeyItsJeremy, on 10/12/2007, -0/+2This is a really ***** way to go about IP banning. I can't believe it made it to the front page.
- sirsteveh, on 10/12/2007, -0/+2Looking around for phpma is probably not so much a hole as getting scanned by something like IntelliTamper. A guy once wanted to dig through my Web site, and I checked my access logs -
GET /a/ HTTP/1.0
GET /b/ HTTP/1.0
GET /c/ HTTP/1.0
GET /d/ HTTP/1.0
GET /e/ HTTP/1.0
...
GET /z/ HTTP/1.0
But if you plan on writing a program to automatically tally 404's, and then ban after a certain number, good luck making such a "TallyBan" program scalable. - blitzkriegpunk, on 10/12/2007, -1/+3ugh. Horrible.
- vdxc, on 09/29/2008, -0/+2@addi
The issue with your code is that HTTP_X_FORWARDED_FOR can be faked pretty easily. I've found banning IPs to be pointless on my sites, there's usually a way around an IP ban (such as anon. proxies for example). - stubcn75, on 10/12/2007, -0/+2really.. have a look at this. its funny
- gaoshan, on 10/12/2007, -0/+2If by "advanced tutorial" you mean "simplistic, inefficient, not very effective hack" then yes, this is indeed quite advanced.
Some of the specific problems:
• Database query for each connection. You should cache the results and only refresh the cache on new commits to the database.
• You ban me? I use a proxy server or just turn on Tor.
Some general problems:
• Why do you want to ban someone? Are they an annoying individual who is harassing you? They will probably just turn to a proxy server and keep at it. Your ban will slow them down for the 30 seconds it takes them to route through the proxy.
• Is it a spammer? They are probably automated and will keep hitting you from a variety of IP addresses (none of them "theirs"). You would have to block a range of IP's to even slow them down and then you run the risk of blocking people who don't need blocking.
Some general solutions:
For an automated spammer, the best solution is probably to put in a brief delay that will slow down their progress. Perhaps even a delay that only affects a certain block of addresses. For example, if they are hitting you every few seconds/minutes from a block starting with 65.128.xxx.xxx throw up a 10 or 15 second delay for anyone approaching from those blocks. Inconvenient for visitors from there but it could really screw up a spammer's timetable. In my experience, automated crap like this will often come from a related block of IP's and will come very regularly and quickly. Perhaps if you are getting regular, frequent requests from the above mentioned block, a script could kick in that would institute an even longer delay. If a spammer finds that his automated process has ground to a standstill because it is waiting on your server over and over again, they may well just move on.
For a determined individual, there is little you can do. A temporary block on them may help but most likely it will have no effect. Best thing to do, in a blog situation, would be to require moderation of comments. That way they will never know if they are getting to you or not and their posts will never see the light of day. This lack of feedback may discourage them. If you do block IP addresses, I'd recommend having the block automatically lifted after a proscribed period of time (so you don't forget to let folks back in). - inactive, on 10/12/2007, -0/+1Ever heard of mod_security?
- blackrock, on 10/12/2007, -0/+1y'all may laugh, but my former (thank god) boss did this very thing in a number of places on our site.
- docjeff, on 10/12/2007, -0/+1Are people still not quite familiar with the obscene number of proxies out there? To say nothing of the applications available which manipulate them - sheesh.
- bliz, on 10/12/2007, -0/+1Banning dynamic IP and IP ranges was what caused me to get logged out of digg for no good reason. I emailed the digg admin but thankfully they solved the problem.
- addi, on 10/12/2007, -0/+1function getIp()
{
if($_SERVER['HTTP_X_FORWARDED_FOR']) // behind a proxy server, then REMOTE_ADDR is the proxy's ip
return $_SERVER['HTTP_X_FORWARDED_FOR'];
else
return $_SERVER['REMOTE_ADDR'];
} - sirsteveh, on 10/12/2007, -0/+1Yeah, and check out the SQL at that:
- He used a separate `id` field as a primary key. Is he doing complex joins on this DB? Because I'm pretty sure you would only want to ban an IP address one time at once at most.
- No use of built-in date types, just a php time().
- Use of SELECT * when he needed a rowcount, and also when he needed just 2 columns.
And, though it borders on mean, I'd like to point out his ad for "quality web design" on his home page:
http://mikeroquemore.com/ - mikeroq, on 10/12/2007, -0/+1He is having trouble admitting that he couldn't code his site him self. Also, I wrote this tutorial 2 years ago. I just keep reposting it, and I was shocked it got up there in diggs.
- on9star, on 10/12/2007, -0/+1http://www.affiliateprogramslocator.com/tools/htaccess_generator.php
Nice little .htaccess builder, think you can ban IP's there too. -
Show 51 - 79 of 79 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is