> Then, it is not safe to do IP-based blocking, right? Any alternative?

As I mentioned in an earlier post (my original reply to you):

> If I can't trust $HTTP_REFERER, how can I deny malicious attack like
> that?

The best way is authentication... that is asking the user for a username
and password before doing getting the data (then you can block out
specific users should they attack you - but you can only do that after the
incident). There are other methods - I dont know what the load on your
server is generating, but Im pretty sure there will be an alternative way
of doing it.

eg: on request do the load-based method and dump the details into a
temporary table with a timestamp of the last time it was updated. If you
get the same request within x minutes (or hours / days) then serve up the
generated information from the table.

This would mean that your db no longer gets hammered if malitious users
were to launch 5000 requests at it in the space of 10 mins, it would just
do the big DB operation the once.

Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to