I plan to prepare a gallery (in php) with a voting option. However, I've got security problems and do not know how to resolve them.
I would like it to be possible to vote only one time per 24 hours. I tried to use IP address verification, but depending on ISP it may change after reconnection. Cookies can be removed from the computer.
I considered another approach: sending an email to the person with a link that they click to vote. That would be saved in the db with 24 hour restriction for IP address and email address.
Unfortunately these options do not give a guarantee. Do you have any more security tips? Would you advise something else?
PS- A CAPTCHA seems nice, but users may not want to vote while experiencing any difficulties.
why not to allow vote only to registered.
This can be achieved through obscurity. As Subdigger and Oltarus stated, voting only to registered users are the only real way.
Most automated polling code only submit to the form directly. You can set a cookie and record the user activity to see if they actually visit the polling page before submitting.
Related
I notice that this email address graceamsalu10#yahoo.com compromised my site and sent a message (not email, it used the site's message app) to every member on the site. It registered and activated it's membership through email. I ran a google search on the email and all the results on the first page was showing others websites that the same email address sent exactly the same message that it sent to members on my site.
Please has anyone encountered this attack before?
and what are the ways I could use to prevent further similar attack on my sites? Thank you.
My website was developed with PHP and MYSQL
Use google catpcha. Even human sometimes are not able to understand it ;)
http://www.google.com/recaptcha
Also it is good practice nowadays to confirm registration by sms. Some services provide this for free! (they add little ads in the text). Works perfectly.
After this step you can implement a ban system.. and it will be much harder to create fake accounts to do bad things on your website.
You can try some things ...
a. check the referrer on form posts, and deny posts from other urls ( if form posted from your website or remote script )
b. use captcha images (i really don't like it)
c. limit daily user posts per account or minute
hope this to help you
Captcha is one thing among many others, but one that added to captcha will keep them away mostly: register for each message sent in the database the unix time for that user, set a value for $timeBetweenMessages for example to 60 (seconds) and each time someone wants to send a message if $timeBetweenMessages has not passed then they need to wait. Usualy all "hackers" look for a way to do things fast and leave, no sane "hacker" will stay on your web site to send messages every $timeBetweenMessages intervals.
If you want to spare your regular users the CAPTCHA hassle, you can use a service like Mollom or Akismet to check the messages and postings for spammy content before they are sent. Both services offer PHP libraries.
I currently have a website built in PHP, I'm hoping to build a referral system tonight.
My theory is that if I dynamically generate a url and place it on my users' homepage such as
"Referral url = www.mysite.co.uk/referral.php?user=myuser"
Then I could have a script in the page referral.php which gets the username and runs an sql query updating their corresponding row in my table.
The only thing is anybody could then add there own name and sign up multiple accounts.
What is the best way to go about building something like this?
Thanks
Suppose to get the referral url my users had to click a button which generates the referral url as a rand ie mysite.com/refer.php?user=234234, at the same time storing it in a the db.
Once somebody visits the page refer.php, the referrer then gets his credits or benefit added to his row in the db, at the same time setting his referral code to 0, making the code only available once.
Each time he hits the button on his page, his referal code would change.
Would this be valid do you think?
You generally have the right idea, but protecting against fraud in a referral system is difficult. You can check for unique IP addresses in $_SERVER and add that to the database for each request, throwing away duplicates or limiting referrals from IP addresses that don't come from the user who signed up. Like HTTP_REFERRER, this can be spoofed as well with ease (using TOR for example).
It's a tough problem that isn't something you can truly "solve." Like most fraud cases, you can only do your best to mitigate the effect.
EDIT TO ADD: You can also require referrals to "mature" by forcing the referred user to be active on the site for a defined period of time (say, 30 days) to increase the effort of spammers/cheaters. But again, this doesn't "solve" the problem - all you can do is make it tougher for them to game the system. And occasionally, by doing this stuff, you can ruin user experience. So how do you balance it? Tough question. :)
EDIT TO ADDRESS YOUR EDIT: Contemplate the following scenarios if we implement your plan:
1) I click the button and get my code. Then I paste it to... who exactly? One person? That's not particularly good for sharing on Facebook, MySpace (does this exist?), or my personal blog. I have to generate a referral code for EVERY person I send to the site? That not only scales terribly, but is a horrible user experience as well.
2) Let's say I figure out what you're doing. I develop a bot that clicks that button 4 trillion times. What now?
You could use the 'HTTP_REFERER' value to check what page the request came from, and only allow votes for that user from their page. This can be spoofed, but most people won't know how.
You can count the referral points for some additional action on your site, for example registration or payment or anything that is behind captcha check.
But do not build any obstacles for your regular legit users!
you could embed this information in the POSTDATA - it's a tad more secure.
Or you can add a restriction that any user may be upvoted ONLY by any other EXISTING user only once. And to make it more "secure", generate userIds with a random seed.
I have a classifieds website, where users must fill in a form to post a classified (offcourse).
I wonder, do you think I need some form of captcha on the form?
Also, I am working on a "register" page where users may get their own username/pass and login to post classifieds more easily.
Also, I have a mail-server setup...
So now, users may click on a classified and at the bottom fill in just three fields in a form (name, email, message) and send an email to the poster of the classified. No captcha there. Is this safe?
My firewall is setup so that it is preventing any outside access to the mail-server except from the websites IP.
Can I set up the firewall to some settings so that I don't need captcha?
I have my own Virtual Private Server btw, and it is running Ubuntu.
A follow-up Q is, if a spam-bot or whatever, gets the hold of my forms and fills alot of them out, or use my mail-server to send emails, what would happen then?
Would my site and mail-server get blacklisted? Is this reverssible or do I have to create a new mail-server then?
Thanks
I go by the design principle of "least barrier to entry". You want people to use your site, so you want to make it as easy as possible for them. Anything at all -- including a captcha -- might turn them away. So my standard line would be to definitely not include a captcha anywhere until you've actually seen a problem with spam. And even then, see if the problem can be solved without a captcha first.
Regarding your question of "well what if a spam bot starts spamming". Simple solution to this is to pre-implement a rate limit. Make it so that someone at a given IP address cannot initiate the sending of an email more frequently than say once every minute. This will not actually cause a problem for real people, but will stop a spam bot in its tracks. You can even try to detect situations where you see a high rate and temporarily block that IP address for 24 hours. That will prevent even the once-a-minute spam.
I can see two situations where you might be thinking of using Captcha's.
Registration
Interaction/Contact Form
However, captcha does tend to upset and drive away users if overused.
So, in these instances:
Registration
The easiest way to stop, or at least inconvenience, anyone trying to create bulk accounts would be to use an email confirmation. So, the user fills out the form, including their email address. The form then sends them an email, which contains a link they must click to activate the account and allow them to login.
Interaction/Contact Form
There will be two kinds of people who will interact through this form. There will be registered, and logged-in users and there will be casual visitors. As Captcha is a method to test for whether a person is a person or not, any registered/logged-in users have already proven themselves, there is no need to use Captcha for them.
However, for a casual, non-logged-in users, then you can use the Captcha for them.
So, the short version, as you can tell, I hate Captcha, and only use it when absolutely necessary.
captch is mainly used for security purpose to stop automation. Like if u have a signup column, a geek can easily make a 1000 users within minutes if he automates it.. and u lose so much space.. At the same time, if u use captcha, its much more safer and you can be sure that all the users are human and none are computer generated usernames.
So if u take your website seriously, i would suggest to go for captch. But keep it simple like they have at megaupload. I dont know which service that is but still its simple.
Definitely YES.
Take a look at reCAPTCHA
You have a PHP plugin here
Can I set up the firewall to some settings so that I don't need captcha?
No. Captcha and firewall are totally different things and cannot be used as the alternative of each other.
A follow-up Q is, if a spam-bot or whatever, gets the hold of my forms
and fills alot of them out, or use my
mail-server to send emails, what would
happen then?
One can write a script which will automate the registration process on your website. It can create so many accounts on your server and/or can post some content which is not good for your website or can use your website for some other persons ads.
Beter try Sblam, its transparent for the visitors, there is no need for user input, it works good for me on numerous sites.
Let's say you have a website contest programmed in PHP, and the user must click their favorite picture. Now from what I hear, there are ways to dynamically change your ip address, such as with the iphone, so it looks like you are someone else and therefore you can continuously click the same picture over and over in a matter of minutes, therefore finding a loophole in the contest and cause cheating.
First, I would like to know whether this is true and second if it is true, are there ways to address this issue? And if there aren't, can a user really change their ip address so many times in a matter of minutes?
Thanks for any response.
In some cases, it is possible to change your IP address with a simple script.
To prevent fully automated votes, you could use CAPTCHA. To prevent users from clicking over and over, you could implement user registration and limit the votes per user.
Here are some other options to consider:
You could require an email address to vote.
You could set some cookies. These are easily by passed, but the way you get around them bypassing it is by allowing them to vote multiple times without telling them they have already voted, but do not increment the value of the vote.
I was trying to do subscription system which is only for registered user. Till registration stage, I am okie. But I don't want user to share their username and password with others because of the paid content. How can i prevent ?
Check with IP, but what if they are on dynamic IP ? Using proxy ?
Store cookies can change ?
Can anyone please kindly suggest how can i prevent ? I know there's no 100% bullet proof, but somehow, alittle bit tight security system.
Language will be with php, mysql, javascript.
I recommend heuristics based approach -- if you detect something suspicious (eg. user connecting from many different IP-s) then you log this and this increments some counter in users's record, if the counter grows big enough, then you get notification and decide what to do.
It won't eliminate all cases of account sharing but hints you the problem users.
when your content is payed content, tell the users that they have to enter ther credit card informations every 10th login. I think this will stop them to share account. (When CC informations are wrong, the account will be closed).
Other idea: Limit the Sessions for one user to 2 - 3. They will think twice to share their credentials if they are not able to login when their friends are connected.