All geek questions in one place

IP ban with php / mysql

I want to be able to ban users by IP. My idea is to save the IP list as rows in the BannedIPs table (the IP column will be an index).

To check the IP of users on the table, I will store a session variable with the name $ _SESSION ['IP'] for each session. If for any request $ _SESSION ['IP'] does not match $ _SERVER ['REMOTE_ADDR'], I will update $ _SESSION ['IP'] and check the BannedIPs table to see if IP is denied. (The flag will also be saved as a session variable that determines whether the user is denied)

Here is what interests me:

  • Does this sound like a good strategy in terms of speed and security (can anyone somehow avoid blocking IP addresses other than changing IP addresses, editing or using a proxy server)?
  • What is the best way to structure a mysql query that checks if a row exists? That is, what is the best way to query db to see if a string exists with a specific IP address (to check if it is forbidden)?
  • Should I save IP as integers or strings?

Note that...

  • I believe that the database will store between 1,000 and 100,000 banned IP addresses.
  • $ _ SERVER ['REMOTE_ADDR'] is the IP address from which the current request was sent.
+3
source share
5 answers

-, MySQL PHP . Apache Deny IP- , , , .

.htaccess .

, 2 IP- (DNS- Google , ) , ...

Order Allow,Deny
Deny from 8.8.8.8
Deny from 8.8.4.4
Allow from all

ErrorDocument 403 /access_is_denied.htm

mod_authz_host Apache 2.2. Apache mod_authz_host .

:

  • $_SESSION['IP'] , IP- $_SERVER['REMOTE_ADDR']? , , - ... , IP- , .

  • , IP- INT ( 2 BIGINT, IPv6). , , .

... , . IP- , .

+6
  • , HTTP.
  • Select Count(*) from bannedIPs where ip = $input, 0, IP .
  • .

, , , ip. , . . , , , , ip- . , , XSS, SQL- ..

+2

:

, IPv6, IPv4, 128- .

+1

10.000 - MySQL. , .

, , , IP-?

, . AOL, - AOL, IP-, -. .

IP- ($ _SESSION ['IP']), .

:

$raw = mysql_query ("SELECT ip FROM ip_blacklist WHERE ip = '" . mysql_escape_string(getenv('REMOTE_ADDR')) . "' LIMIT 0,1");
if ( mysql_num_rows ($raw) ) {
 // match found
}
else {
 // no match found
}

, IP-. 192.168.0.1 192.168.0.%:

… WHERE ip LIKE '192.168.0.%'

, IP-.

, . , / .

+1

  • http://www.rubyrobot.org/article/protect-your-web-server-from-spambots

    , PHP ( ), PHP. , , .

    , , - , iptables. script, . - - , CSV, , .

    In any case, IPTables is much more efficient than a full database query.

  • Make sure you avoid entering IP if using SQL. I might be paranoid, but I saw all kinds of pointless drops through $_SERVER['REMOTE_ADDR'].

  • Line. They are not numbers, they are four numbers. And IPv6 is hexadecimal. The string spans all bases with tiny processing costs.

You should also know that server vars may be lying. Read: Getting the real IP address of your users

+1
source

Source: https://habr.com/ru/post/1748773/

More articles:


All Articles