PHP/MYSQL Security Question

Forum Moderators: coopster

Message Too Old, No Replies

PHP/MYSQL Security Question

Defeating an automated attack that probes for valid logins

aravenwood

3:39 am on Jul 6, 2005 (gmt 0)

I have a website that generates a password for registrants based on info that they enter into a web registration form. The info is posted, and mysql_real_escape_string 'ed before it is dumped int o the database and processed. My question is this: How do I defeat someone who wrote a program that automates the process of randomly generating login/passwords and simulating a form posting the info in the hopes of finding one that works (a la the movie Wargames)? Any help would be appreciated.
Thanks,
Michael

Dijkgraaf

4:20 am on Jul 6, 2005 (gmt 0)

Well you could have a database of failed logins, in which you log the username and IP.
After a certain number of failures you don't allow any more login attempts from that IP or user for a period of time.

mcibor

10:42 am on Jul 6, 2005 (gmt 0)

Moreover to prevent automated registering you can add verification with random text picture. For wargame prevention use the time ban after eg. 3 failed logins, for ip longer - 0,5 hour and for user shorter, eg 5minutes, as Dijkgraaf suggested.

Best regards and welcome to WebmasterWorld!
Michal Cibor

henry0

11:22 am on Jul 6, 2005 (gmt 0)

in addition make the email part of your auth sys
I use a function that
Checks if email exists
Validates email syntax
amd most important
Validates email domain
so a fake generated email will fail.

Regards.