Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)
The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate
and be done. A better way to stop attacks is to have a tally of failed
logins if you really are that worried someone is going to brute-force you.
Then after 3 fails, just don't let that IP connect or add other intelligent
handling. Maybe add them to a 'ban list' after x amount of failed tries. You
can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.
> -----Original Message-----
> From: John W. Holmes [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 20, 2004 7:10 AM
> To: ..: GamCo :..
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] Wait Statement... ?
> ..: GamCo :.. wrote:
> > ok, i added the sleep() function in my page. what i'm
> basically doing is :-
> > i have a .php page where people log-in from. from there i
> send the form to
> > another .php page that actually checks the login and
> registers a session
> > with the username and password as session variables. then
> on the page that
> > actually does the validation, i have something that says :
> > login... sleep 1 funtion. then, i have another line that
> says validation
> > successfull... sleep 1 function and then i have another
> line that says
> > redirecting... with sleep 1 function and then header
> redirects to the actual
> > logged-in.php file. the redirect and validation works
> perfectly as well as
> > the sleep functions, but it now doesn't display the
> validating login... blah
> > blah blah stuff which is done in normal html code...
> You are very confused. Read the manual page on header(). You
> can't have
> any output before you try to redirect with a header().
> If you're trying to implement some sort of brute force protection by
> using sleep(), you're using it in the wrong method, anyhow.
> Your login
> processing script should sleep for a second or two whether
> the login is
> correct or not and it should be the first thing that it does (i.e.
> before any output or redirection). If you only sleep() on
> failures and
> redirect on good logins, brute force methods can pick up on that and
> adjust their methods to get around the wait time.
> ---John Holmes...
> Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
> php|architect: The Magazine for PHP Professionals - www.phparch.com
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php