Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: ocean10000
I'm a web developer/webmaster and do some limited database/ASP (VBscript) stuff and some SEO.
One of my clients has a new competitor. Their store locator stops you after 5 zip code queries ("..only 4 queries per week or 8 queries per month allowed.."). They are obviously using PHP.
My client wants me to do the same for our MS-Access/ASP (Dreamweaver MX 2004) store locator database, which now has no limitations on number of ZIP, City name or Phone Area searches.
My client is convinced this new competitor, with a new clone of client's product, got useful info on client's retail distribution strategy from our database.
We are on a Windows server (obviously) on a virtual shared hosting account. Not doing anything server-side at this point (except the search and results pages).
Can we also create such a query limitation without switching to MySQL and/or away from a Windows server?
Any ideas much appreciated!
They are obviously using PHP.
Just because you are on a windows server doesn't mean you can't do that, you just haven't done it yet.
There are lots of ways to do it. One way would be to write/increment a cookie for each attempt. After 5, you just turn it off. that's an easy way.
A more complicated way would be to write something to a DB everytime it's run for a certain date. When that hits five you shut it off.
You might not be able to do it in straight vanilla Dreamweaver, but it certainly is possible.
I didn't want to prejudice people's ideas by restricting my question, but i'm pretty sure that a cookie would be too easy to intercept/bypass.
Not expecting "perfect" security, since that would probably take a password (which would discourage sales), but hoping for a method that would at least discourage database copying - if not totally stop it.
Maybe a way to block IPs after a certain number of queries and for a limited blocking time would be best?
But how to script that?
Their store locator stops you after 5 zip code queries ("..only 4 queries per week or 8 queries per month allowed.."). They are obviously using PHP.
Short of those two things, there's not really much else you can do without developing an ActiveX or Java solution that runs on the client-computer and uses some form of uniqueness to limit that particular machine from accessing more than X times a week, month, etc.
Honestly if someone really wants to query your database, they'll find a way - personally if it were me and there were a real need to secure the data I'd take a balanced approach to it:
1. Permanent cookies to "limit" day-to-day usage for normal users.
2. Session variables to limit how many queries can be used in a single session*
3. Server-side trigger to stop one IP from rapidly downloading all the data.
4. Server-side tracking / auditing so you can watch for any patterns.
* The session method is only really useful if you can force a user to interact with an intermediate page before they hit the "search" page - stopping an attacker from just requesting the search page directly and forcing them to create a more complex site scraper.
However if they can just go to the "search" page directly to set their "per session" counter (for example by requesting a new session every time) then this method falls apart.
Yes, B2C and the customers go to the store locator ASP search page from the home page (but of course nothing stops them from going directly, once they know the page name).
There are about 10K records, so far.
Sounds like i need to find an ASP script to log IP addresses into a separate database and count them, etc.
Any idea where i could look for such a beast? Maybe it's time to contract a programmer. This is a bit over my head and not something i want to get expert in at this point.