RE: [PHP-DB] Wait Statement... ?
Uhmmm.. how effective is a brute force attack where you can only try one combination per second? It's going to take you a while to get through that dictionary. How determined are you ;-) Our product has a brute force attacker in it, and for some protocols, we have to wait a few seconds between each attempt b/c otherwise the protocol blocks you as it considers it a DoS. But the results can finish in several days or even weeks. You can still do this on top of the sleep() method. A one second wait is n't going to affect you when you log in to an application. Sure. If you really want to sleep(1); then go nuts. I was only trying to point out that the sleep(1) is not a really viable way to prevent crackers from doing anything really. Just slow them down. The problem with reacting after three failed logins is that it can then be easy to lock other people out of their account. You just have to figure out their username, which usually isn't that hard. Since IP addresses can be spoofed or shared among users of certain ISPs, relying on them isn't adequate, either. Well, you'd only get 3 attempts to guess a username from a given IP. It takes a lot more work to spoof an IP, and coordinate an attack with several computers. And most crackers aren't trying to lock people out of their account, they're trying to gain access themselves. If I wanted to bring down a server, I'd just DoS it, not waste time locking individual users out one at a time. Daevid Vincent Senior Engineer / Architect two.zero.six.two.eight.five.eight.zero.eight.zero _ _ _ | |___ ___| | | | _ ___ __ | | / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ | |__| (_) | (__|(_| | (_) \ V V /| | | | |_\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_| x104 Networks.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Wait Statement... ?
I like this idea of longer sleeps for each fail in theory, but it becomes moot if you only allow 3 failed attempts. -Original Message- From: Tim Van Wassenhove [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 3:37 PM To: [EMAIL PROTECTED] Subject: Re: [PHP-DB] Wait Statement... ? Every time someone tries to authenticate, you count the number of failures in both queues. The larger the number, the longer the sleep will take. (removing old entries once in a while might speed up things) Daevid Vincent Senior Engineer / Architect two.zero.six.two.eight.five.eight.zero.eight.zero _ _ _ | |___ ___| | | | _ ___ __ | | / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ | |__| (_) | (__|(_| | (_) \ V V /| | | | |_\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_| x104 Networks.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Query returns duplicate rows
My query is returning duplicates rows. table: elements elementId standardId elementtext category mcode linenum table: scores scoreId taskId scores Here's my query: SELECT distinct elementtext,cateogy,mcode,linenum,scores,scoreId FROM elements, scores WHERE scores.taskId='12' AND elements.standardId='APR.05' This is returning duplicate rows, even though I'm using the DISTINCT keyword. If I remove the field scoreId it is fine. Any suggestions?
Re: [PHP-DB] Query returns duplicate rows
On Wed, 21 Jul 2004 16:29:37 -0400, Brock Jimmy D Contr 74 MDSS/SGSI [EMAIL PROTECTED] wrote: My query is returning duplicates rows. table: elements elementId standardId elementtext category mcode linenum table: scores scoreId taskId scores Here's my query: SELECT distinct elementtext,cateogy,mcode,linenum,scores,scoreId FROM elements, scores WHERE scores.taskId='12' AND elements.standardId='APR.05' This is returning duplicate rows, even though I'm using the DISTINCT keyword. If I remove the field scoreId it is fine. Any suggestions? Should you perhaps be doing some kind of ON clause to that join? It's joining every record in elements with every element in scores. You need to tell it what fields to join on. Also, doing a distinct on that many fields at once could be very expensive. Better tp refine your query or data model. -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Query returns duplicate rows
These two tables do not have a relation, so there is nothing to join. Basically, what I'm trying to is this: Users need to score elements. The elements are assoicatied with standards. A standard may have 1 to 29 elements associated with it. For users to score the elements they need to see the criteria for that particular element. Thanks for the help though. -Original Message- From: Justin Patrin To: Brock Jimmy D Contr 74 MDSS/SGSI Cc: [EMAIL PROTECTED] Sent: 7/21/2004 5:02 PM Subject: Re: [PHP-DB] Query returns duplicate rows On Wed, 21 Jul 2004 16:29:37 -0400, Brock Jimmy D Contr 74 MDSS/SGSI [EMAIL PROTECTED] wrote: My query is returning duplicates rows. table: elements elementId standardId elementtext category mcode linenum table: scores scoreId taskId scores Here's my query: SELECT distinct elementtext,cateogy,mcode,linenum,scores,scoreId FROM elements, scores WHERE scores.taskId='12' AND elements.standardId='APR.05' This is returning duplicate rows, even though I'm using the DISTINCT keyword. If I remove the field scoreId it is fine. Any suggestions? Should you perhaps be doing some kind of ON clause to that join? It's joining every record in elements with every element in scores. You need to tell it what fields to join on. Also, doing a distinct on that many fields at once could be very expensive. Better tp refine your query or data model. -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Query returns duplicate rows
On Wed, 21 Jul 2004 17:09:35 -0400, Brock Jimmy D Contr 74 MDSS/SGSI [EMAIL PROTECTED] wrote: These two tables do not have a relation, so there is nothing to join. Basically, what I'm trying to is this: Users need to score elements. The elements are assoicatied with standards. A standard may have 1 to 29 elements associated with it. For users to score the elements they need to see the criteria for that particular element. Thanks for the help though. You may want to try selecting all selected elements, then all selected scores, then loop through them individually. Doing a join without an ON clause is IMHO not a good choice. -Original Message- From: Justin Patrin To: Brock Jimmy D Contr 74 MDSS/SGSI Cc: [EMAIL PROTECTED] Sent: 7/21/2004 5:02 PM Subject: Re: [PHP-DB] Query returns duplicate rows On Wed, 21 Jul 2004 16:29:37 -0400, Brock Jimmy D Contr 74 MDSS/SGSI [EMAIL PROTECTED] wrote: My query is returning duplicates rows. table: elements elementId standardId elementtext category mcode linenum table: scores scoreId taskId scores Here's my query: SELECT distinct elementtext,cateogy,mcode,linenum,scores,scoreId FROM elements, scores WHERE scores.taskId='12' AND elements.standardId='APR.05' This is returning duplicate rows, even though I'm using the DISTINCT keyword. If I remove the field scoreId it is fine. Any suggestions? Should you perhaps be doing some kind of ON clause to that join? It's joining every record in elements with every element in scores. You need to tell it what fields to join on. Also, doing a distinct on that many fields at once could be very expensive. Better tp refine your query or data model. -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
Well, everyone is in big discussion about this, so i figure i'll toss in my worthless 2 cents. Say your users have a password of like 8 characters, Brutus (used for brute forcing) will tell someone trying to gain access that they'll have better luck asking the person. So the only real threat is like dictionary attacks. So you add an eregi and ask your users to include at least 1 number and/or a special character.. or you have your own dictionary that you check the word against, if its in your dictionary then you tell the user to select another one. Brute forcing a password is pass or fail, if the person is determined enough they'll get in. Using a dictionary can work sometimes, script kiddies can whip those out pretty quick and try it. The main anti-passcrack would be a strong password. I usually use minimum of 8 characters, 1 special character not at the end. And on top of this i also have a about 7,000 words/common passes in a MySql database that i reference. Of course, you have to remember that you're dealing with users.. as in users... who will make their password their initials and the last 2 digits of their birthday... or they'll make it 112233. The best way to learn about security on stuff like this is to sit down and try to break into your system, if you can do it locally then thats better, so that you can test it as if someone plugged in on your server's lan (highly unprobable) and anyone that tries to sell you a product for the anti-passcrack is really saying, you don't seem to want to write the 40 lines of code.. so i'll rip you on it. Shah -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] search form w/ multiple fields
I have a form with firstname, lastname, phone, and email fields. I would like to search the database and return results to the same page in an iframe. I want to be able to search my just one or multiple. For example I can search by firstname with value of john and it will return all john rows in iframe or search firstname value john and lastname value smith and again will return all rows with data in iframe. I have tried this but don't think I am doing something correct: $result = mysql_query (select * from customerinfo where firstname like '%.$_POST['firstname'].%' or '%.$_POST['lastname'].%' or '%.$_POST['phone'].%' or '%.$_POST['email'].%'); I cant seem to figure out how to display. I have tried ?php echo $_POST['firstname']; ? in the HTML but there was no return of data. This is my form: form action=search.php method=post name=search id=search First Name: input type=text name=firstname / Last Name: input type=text name=lastname / Phone : input type=text name=phone / Email : input type=text name=email / input type=submit value=search /form all of this is on the same page, the page is called search.php