|
PHP - How To Best Stop Hammering Of My Web Server Api?
I have a web app that uses an API that I wrote to communicate with my MySQL database that was written in PHP. Currently, each user of the API is required to authenticate before using the API with a username/password. Every API request is logged into a Requests_History table which stores the API request type, the timestamp and the userId of the requester.
How can I easily stop hammering of the API via too many requests in a given time period? 1. first violation within 24 hours, 2 minute ban 2. second violation within 24 hours, 10 minute ban 3. second violation within 24 hours, 1 hour ban Similar TutorialsI recently wrote a web app made with flash that communicates with php scripts on my web server(apache2). Like most others, I believe my web app is the end all be all and could potentially attract millions of users Ok, long story short, in the long haul, there will be people using robots to communicate with my php scripts to do tasks that are in the game in order to cheat. I'd like to limit these users from hammering the server with robotic requests. I no for a fact that no human will make requests to my game more than once per two seconds or so. So is it best for me to somehow do this type of code with php? or maybe at the apache level somehow? My flash application can detect http error status codes for each request so if any solution would cause a non standard 200, that is fine, i should be able to detect the code, and wait a couple seconds on the flash client, then do a retry hopefully I'm lost on this one and would appreciate some help Hello; I know there is a way but I just can't get it out of my head. I have my code that i want to show to the user and then i have code i want to execute but not show anything to user. I no am not making my self clear which i am sorry for so ill give you an example. <? show_my_site(true); // Now i have code which will never output anything but the webbrowser will always wait for it to complete my_function_that_takes_time(true, 'Very Long'); ?> So what i want is some code to tell the browser thats it! You have everything. I cant use die; or exit; because i want to execute the code. Thank-you Paul I have a PHP web system that store in a windows server. In the system, there is a function for user to upload files to another server (Shared server in Unix). When i try to upload a file, it gives warning: Warning: move_uploaded_file(\\unixserver/sharedfolder/upload/test.txt) [function.move-uploaded-file]: failed to open stream: Permission denied in C:\wamp\www\upload\index.php on line 40 For your information, my username has been assigned in xxx's group that has access to read and write on that folder. Besides, i'm able to open,create and delete files on that folder's server manually (samba). The safe mode setting is off. Does anybody has any idea why this thing happen? I'm trying to make a simple website where people register to my website. When the user doesn't fill anything inside the boxes they get a message "Please fill all required fields" on the register.php page On my local host require_once works good. It shows up.
But when i upload the files to my sever the require_once does not show up on the register.php It just refreshes and i dont get the message "Please fill all required fields"
This is the code that works in local host but not in a live server <?php require_once 'messages.php'; ?>
Here is my full code
Register page: <html> <?php require_once 'messages.php'; ?> <br><br> <form action="register-clicked.php" method="POST"> Username:<br> <input type="text" name="usernamebox" placeholder="Enter Username Here"> <br><br> Email:<br> <input type="text" name="emailbox" placeholder="Enter email here"> <br><br> Password:<br> <input type="password" name="passwordbox" placeholder="Enter password here"> <br><br> Confirm Password:<br> <input type="password" name="passwordconfirmbox" placeholder="Re-enter password here"> <br><br> <input type="submit" name="submitbox" value="Press to submit"> <br><br> </form> </html>
Register clicked <?php
session_start();
$data = $_POST;
if( empty($data['usernamebox']) ||
empty($data['emailbox']) ||
empty($data['passwordbox']) ||
empty($data['passwordconfirmbox'])) {
$_SESSION['messages'][] = 'Please fill all required fields';
header('Location: register.php');
exit;
}
if ($data['passwordbox'] !== $data['passwordconfirmbox']) {
$_SESSION['messages'][] = 'Passwords do not match';
header('Location: register.php');
exit;
}
$dsn = 'mysql:dbname=mydatabase;host=localhost';
$dbUser='myuser';
$dbPassword= 'password';
try{
$connection = new PDO($dsn, $dbUser, $dbPassword);
} catch (PDOException $exception){
$_SESSION['messages'][] = 'Connection failed: ' . $exception->getMessage();
header('Location: register.php');
exit;
}
messages.php <?php
session_start();
if (empty($_SESSION['messages'])){
return;
}
$messages = $_SESSION['messages'];
unset($_SESSION['messages']);
?>
<ul>
<?php foreach ($messages as $message): ?>
<li><?php echo $message; ?></li>
<?php endforeach; ?>
</ul>
Edited Wednesday at 12:49 AM by bee65 Hi, I am not a PHP programmer. I took on a new client with a simple PHP site, without any databases. The site is up and running on the web. I would like to get it running on my local machine for further development. I have latest version of WAMP installed, running Apache version 2.2.11 and PHP version 5.3.0 I created a directory in the WAMP "www" project directory and it shows up there like it's supposed to when I browse to "localhost" Problem: The home page of website displays text but no, images, styles, footer, header, nav links, etc. Here is the code for the home page: <? define("NAV","home"); require_once('local/local.php'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>TITLE</title> <meta name="keywords" content=""> <meta name="Description" content=""> <? include("common/dochead.php"); ?> </head> <body onLoad="<? include('common/preloads.php'); ?>"> <!-- ============================ main ============================= --> <div id="main-frame"><div id="main" class="noCollapse"> <? include("common/sign.php"); ?> <div id="right-frame"> <? include("common/navigation.php"); ?> <div id="content-frame"> <div id="content"> <h1>Welcome</h1> <p>This is the content area. This is the content area. This is the content area. </p> </div><!-- end content --> </div><!-- end content-frame --> </div><!-- end right-frame --> <div class="clearFloats"></div> </div><!-- end main --></div><!-- end main-frame --> <? include("common/footer.php"); ?> </body> </html> Any help would be greatly appreciated. I have spent many hours on this. Regards Hi folks, I'm curious if I can for example, save a file from my server and it will save to all other servers - obviously if they accepted the connection first. It's for a software I developed and is almost complete and know there will be frequent updates to it. Instead of users downloading upates, I want the update files from my server to somehow synchronize to their server automatically? Anything called this?? Thanks for info. Following a tutorial on udemy, i tried to learn the very basics of mvc structure. I built the same project on my local server and it worked without giving me any error. but when i tried it on live server. its not working as it should. not showing any error. I tried to figure out the problem and found that for every page loading, it stops at the same line in my main.php file. <?php require($view); ?> starting from the above line. it stops. i came here to share my problem but i am unable to upload my files here. if there is a way to upload and share my files, please guide. zip file size of the whole project is 31.6 kb This isn't exactly an application design question, but rather a system design one.
I am about to install an Inventory Control System inside this store I work in.
The store itself also owns a Linode VPS running Centos 6.4 which hosts our website.
This new Inventory System will come built in with a Microsoft SQL Server, and supposedly it is a SQL Anywhere database, but I'm not too sure what that means.
I need to make this database publicly accessible, but only via the Linode VPS. Surely, setting restrictions is easy enough to address that issue. That isn't my question.
My first idea is to put this server into the DMZ, easy. But it doesn't exactly sound safe. So my next idea was to put a middleman server in the DMZ, this way the Linode can send queries to that middleman server and it will send that data to the SQL Server and back. This is very vaguely described I know, but I don't want to get too much into details, but rather, understand how I can create that middleman server, and what could Install onto it that would allow me to securely process queries?
My first thought was to install a webservice, that accepts an XML/JSON request and returns an XML/JSON response.
Then, I realized directly afterwards that I don't have any experience setting up a webservice like that.
What kind of options are there out there? Ultimately, my question is, should I just put the Server in the DMZ or should I create the middleman, and if so, can someone point me in the right direction as to getting a webservice set up? Edited by Zane, 15 July 2014 - 11:28 PM. (This might be the wrong forum; it might be server-side configuration, but alas it is the code that *calls* fwrite, so I'll start here.) I have written a script, and one thing it does is generate a file to disk using fwrite. No big deal. Here's what interests me: On most servers, the file is written successfully when the folder's permissions are 755 with recursive permissions. On some servers, 755 fails. Only 777 works. How could this be? Are permissions=permissions=permissions? Why will 755 work on one machine but not another? I'm just a logic guy; I know very little of server-side configuration and/or why there would be a difference here. Just trying to learn. Hey. I am wanting to move a couple of files from my current server to another. If i am uploading the file this is fine but if it is already on the server then im not sure how to move it. When uploading I can just use ftp_put($conn_id, $destination_file, $myFile, FTP_BINARY); What i need to do is figure out how to get a hold of the file and store it in $myFile then this would work fine. Is this possible? Cheers I have two servers: WebServer and FaxServer. WebServer needs to send a fax. Is my approach shown below fairly secure? Before sending a fax, ServerWeb needs to store a record in a table representing the message, and I am using a pseudo random value for the PK which is generated as 2147483648+mt_rand(-2147483647,2147483647). WebServer then generates a hash equal to hash('sha256',$pk.'secretCodeWhichOnlyWebServerAndFaxServerKnow'). WebServer then sends curl request to FaxServer using POST which includes $pk, the hash, the fax number, some text to include in the fax, and an optional array of document to include (array(array('id'=>321,'name')=>'fileName.pdf')). FaxServer verifies that the hash is correct given $pk, that the minimum information has been received, and that the fax number is a valid phone number, and quickly responds to WebServer by echoing 0 or 1 so the code in the WebServer could continue and inform the user. If all looks okay, a new instance of PHP is started.
if(missingInformation) {echo(0);}
else {
session_start();
$_SESSION['_xfr']=$_POST;
exec('/usr/bin/php -q /path/to/send_fax.php '.session_id().' >/dev/null &');
echo(1);
}
New instance of PHP send_fax.php then does the following:
session_id($argv[1]);//Set by parent
session_start();
$data=$_SESSION['_xfr'];
$doc_list=null;
foreach ($data['documents'] AS $doc)
{
if(ctype_alnum($doc['id']))
{
$file='/some/tmp/directory/'.$doc['id'];
if(!file_exists($file))
{
$url='http://machine.WebServer.com/index.php?task=displayDocument&id='.$doc['id'].'&x='.hash('sha256','displayDocument'.$doc['id'].'secretCodeWhichOnlyWebServerAndFaxServerKnow');
$cmd='wget -O '.$file.' '.escapeshellarg($url);
exec($cmd);
}
$doc_list.=' '.$file;
}
exit('invalid document');
}
//Send the fax...
//Send another CURL request to the WebServer similar to the wget giving the fax status.
exit;
When WebServer receives the wget request for a document, it confirms the hash and sends the document to the FaxServer using X-Sendfile.When WebServer receives the CURL request regarding status, it updates the database for the applicable message. Seem reasonably secure? What I'm trying to do is copy all files from one server to another folder on another server. Here is what I have have so far.. <?PHP //connection settings $ftp_server = "server"; $ftp_user_name = "user"; $ftp_user_pass = "pass"; $dir = "/var/test/"; $destination_file = "/test/"; // set up basic connection $conn_id = ftp_connect($ftp_server); // login with username and password $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // check connection if ((!$conn_id) || (!$login_result)) { echo "FTP connection has failed!"; echo "Attempted to connect to $ftp_server for user $ftp_user_name"; exit; } else { echo "Connected to $ftp_server, for user $ftp_user_name"; } if (ftp_chdir($conn_id, $dir)) { echo " <br/>Current directory is now: " . ftp_pwd($conn_id) . "\n<p/>"; } else { echo "Couldn't change directory\n<p/>"; } $buff = ftp_rawlist($conn_id, $dir); foreach($buff as $files) { echo $files. "<br/>"; if (ftp_get($conn_id, $destination_file."test.file", $dir."test.txt", FTP_BINARY)) { echo "<br/>Successfully written to $destination_file\n"; } else { echo "There was a problem\n"; } ?> That doesn't work. Any ideas? Thanks, Sean I just did a huge import from an app I have been working on. No issues except for this. I uploaded & imported all files & databases from my wampserver (localhost, local server) to my main online server. Before I continue with the problem, I have to give you info on how the files work. I am using a "controller" to view the files. Meaning, from index.php, I call all the files. For example, instead of mysite.com/register.php, its mysite.com/index.php?page=register. The index defines the doctype & html tags etc. The other files that are called through index.php are just pure php code, it does not contain the head & body tags etc. So, the issue is , when the surfer submits a form, i need to set a cookie. this cookie is VERY important. I cannot get it to work. I am getting the header warnings after submit Of course, this is to be expected. But I tried it on my local server, & it worked. I am not very familiar with cookies, this is a side of PHP i never really even touched. I know almost everything but that. So the php code is before the html code on the page, so I figured it was worth a shot. Im guessing the problem here is, since the code being outputted as index.php code + the form page code. So the cookie is being set after the html tags. How can I fix this? I need it to work thru the controller. I cannot just make it a single file, all files on the site needs to be thru this controller, otherwise it will mess everything up. Ino I could just add the code from index.php plus the form page code & just run the php code before all of the html tags, but like I said it has to be called thru index.php. I appreciate your replies, & I hope you guys dont think im an idiot & can understand my question, im terrible with words! I wish to create validation rules once which are used both on the client and on the server.
For instance, I will start off with the following PHP object:
stdClass Object
(
[rules] => stdClass Object
(
[email] => stdClass Object
(
[required] => 1
[email] => 1
[remote] => stdClass Object
(
[url] => check-email.php
[type] => post
[data] => stdClass Object
(
[username] => function() {return $( '#username' ).val();}
)
)
)
)
[messages] => stdClass Object
(
[email] => stdClass Object
(
[required] => an email is required
)
)
)
When the edit page is downloaded to the client, I will include this object in some format suitable to the client.
The client will then use the jQuery Validation plugin (http://jqueryvalidation.org/) along with the validation object, and client side validate the page.
When the form passes client side validation and is uploaded, PHP will use the same validation object to serverside validate the form (I have this part working as desired).
My question is how should I pass this data to the client? Originally, I would just use PHP to write some JavaScript.
exit('var myObj='.json_encode($myObj));
Note that when I json_encode the object, the value of $myObj->rules->email->remote->data->username is a string with quotes around it, however, I can easily use PHP to strip these tags before sending it to the client.
As Jacques1 pointed out in http://forums.phpfre...ascript-client/, I should never ever use PHP to generate JavaScript, and should use AJAX to download the JSON directly. I tried doing the later, but found that a callback function could not be included in the JSON.
Please advise on the best way to accomplish this.
Thank you
Hello, I want to ask you, how to code the next problem I want to transfer some coins from site A to site B, I have access to both sites. My question is, how can I update table on site B, when I send request for updating on site A. Basicly, I need to transfer value from site A, and site B should receive this value, and update table. How can I do it, what do I need? I have a system setup to pull a while() query out of a file. As follows: // In another file that is included into the one I'm running. $support_1_start = './includes/modules/while/support.1.open.php'; $support_1_stop = './includes/modules/while/support.1.close.php'; // The actual file. include($support_1_start); // This starts the mysql while() query. ?> // Data should be displayed here... <?php include($support_2_stop); // This ends the mysql while() query. The only problem is that I'm getting the following error: Code: [Select] Parse error: syntax error, unexpected $end in /home/nuke/public_html/includes/modules/while/support.1.open.php on line 16 I assume its because I included the while() function, but didn't close it in that file, but instead another file. Maybe you know how to fix this? If you want my complete source code in order of what is ran: http://www.nuclear.apnx.us/source.txt Hi, Just received this email from a random person saying they were able to obtain the username and password for the site admin page from the MySql Database: [07:33:33] [INFO] testing if GET parameter 'id' is dynamic [07:33:34] [INFO] confirming that GET parameter 'id' is dynamic [07:33:35] [INFO] GET parameter 'id' is dynamic [07:33:35] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis [07:33:35] [INFO] testing unescaped numeric injection on GET parameter 'id' [07:33:37] [INFO] confirming unescaped numeric injection on GET parameter 'id' [07:33:37] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis [07:33:37] [INFO] testing for parenthesis on injectable parameter [07:33:40] [INFO] the injectable parameter requires 0 parenthesis [07:33:40] [INFO] testing MySQL [07:33:41] [INFO] confirming MySQL [07:33:41] [INFO] query: SELECT 0 FROM information_schema.TABLES LIMIT 0, 1 [07:33:41] [INFO] retrieved: 0 [07:33:51] [INFO] performed 13 queries in 9 seconds [07:33:51] [INFO] the back-end DBMS is MySQL web server operating system: Linux Red Hat web application technology: PHP 5.2.11, Apache 2.2.3 back-end DBMS: MySQL >= 5.0.0 +-------+------------------------ +----------- +---------- +---------------------------------- +--------+--------------- + | admin | email | firstname | lastname | password | userid | username | +-------+------------------------ +----------- +---------- +---------------------------------- +--------+--------------- + | 1 | blah | blah | blah | blah | 1 | blah | +-------+------------------------ +----------- +---------- +---------------------------------- +--------+--------------- + blah MD5 : blah -- I've changed all the details to 'blah' for the purpose of this post. Does anyone know how I can secure my PHP to stock this injection? Thanks, Jack I've tried this: <?php $xsblock = $_SERVER['HTTP_REFERER']; $url = "testchan"; $pos = strpos($xsblock, $url); if ($pos == false) { die(); } else { echo "content content content content content content content content"; } ?> How can I do this correctly? Thanks in advance! I need a way to keep entrys into a database from being doubled. The issue is that on something like %7B%7D that is the same as {} in html. So if one is entered in with the percentages and one is entered in normal, the data base thinks they are two different items even though they could be the exact same thing. Now when I insert the new item into the data base the value ='s mysql_real_escape_string(htmlentities(item)) is how I do it now. This is wrong im guessing cause it could go with either of the above examples and puts them in as given. So my question here is kinda two parted. 1) how do I get it to insert the info one way or the other but never both being allowed. So {} will always show %7B%7D when inserted or visa versa. and 2) How do I take an existing database and sort threw it to make sure they are all the same as 1 codes the new ones in, and take out any possible dupilications due to the difference? I need some quick help with this, This is my file upload row loop, I want to add the if <b>k = 4</b>, then you have reached the maximum upload. Or something to that Effect. PRetty much only allowing 4-upload per user, before stoping the upload feature.. row count Code: [Select] <?php $k = 4; //$n=5; for ($i=0, $n=count( $this->songs ); $i < $n; $i++) //for ($i=0, $n=count( $this->songs ); $i < $n; $i++) { $song = &$this->songs[$i]; $checked = JHTML::_('grid.id', $i, $song->id ); $link_edit = JRoute::_( 'index.php?userid='.$this->xxx->user_id.'&layout=form&id=' . $song->id .'&from=xxx'); $tick = JHTML::image("images/tick.png",JText::_('Yes')); $tick_file = JHTML::image("images/tick.png",JText::_('Yes'),array("title" => $xxx->filename)); $cross = JHTML::image("images/publish_x.png",JText::_('No')); ?> End row count Code: [Select] <?php $k = 1 - $k; } ?> |
|||||||