Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)

The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate
and be done. A better way to stop attacks is to have a tally of failed
logins if you really are that worried someone is going to brute-force you.
Then after 3 fails, just don't let that IP connect or add other intelligent
handling. Maybe add them to a 'ban list' after x amount of failed tries. You
can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.

> -----Original Message-----
> From: John W. Holmes [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, July 20, 2004 7:10 AM
> To: ..: GamCo :..
> Subject: Re: [PHP-DB] Wait Statement... ?
> ..: GamCo :.. wrote:
> > ok, i added the sleep() function in my page. what i'm 
> basically doing is :-
> > 
> > i have a .php page where people log-in from. from there i 
> send the form to
> > another .php page that actually checks the login and 
> registers a session
> > with the username and password as session variables. then 
> on the page that
> > actually does the validation, i have something that says : 
> validating
> > login... sleep 1 funtion. then, i have another line that 
> says validation
> > successfull... sleep 1 function and then i have another 
> line that says
> > redirecting... with sleep 1 function and then header 
> redirects to the actual
> > logged-in.php file. the redirect and validation works 
> perfectly as well as
> > the sleep functions, but it now doesn't display the 
> validating login... blah
> > blah blah stuff which is done in normal html code...
> You are very confused. Read the manual page on header(). You 
> can't have 
> any output before you try to redirect with a header().
> If you're trying to implement some sort of brute force protection by 
> using sleep(), you're using it in the wrong method, anyhow. 
> Your login 
> processing script should sleep for a second or two whether 
> the login is 
> correct or not and it should be the first thing that it does (i.e. 
> before any output or redirection). If you only sleep() on 
> failures and 
> redirect on good logins, brute force methods can pick up on that and 
> adjust their methods to get around the wait time.
> -- 
> ---John Holmes...
> Amazon Wishlist:
> php|architect: The Magazine for PHP Professionals -
> -- 
> PHP Database Mailing List (
> To unsubscribe, visit:

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to