raw-power Comments - Answer Overflow

raw-power

Posts Comments

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

thank you, yes it does

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

😭

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

but if I'm the only one uploading files to the server through my backend, then I could just turn uploads off like this?

<?php
// Check if a file was uploaded
if (isset($_FILES['file'])) {
    // Get the MIME type of the uploaded file
    $file_type = mime_content_type($_FILES['file']['tmp_name']);
    
    // Define an empty array of allowed types
    $allowed_types = [];
    
    // Check if the file type is in the allowed types array
    if (!in_array($file_type, $allowed_types)) {
        die('File uploads are not allowed.');
    }
    
    // check the file extension
    $file_extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
    $allowed_extensions = [];
    
    if (!in_array($file_extension, $allowed_extensions)) {
        die('File uploads are not allowed.');
    }
    
    // If the file type and extension are allowed, proceed with the upload
    // (In this case, no file types or extensions are allowed, so this code will never be reached)
}
?>

<?php
// Check if a file was uploaded
if (isset($_FILES['file'])) {
    // Get the MIME type of the uploaded file
    $file_type = mime_content_type($_FILES['file']['tmp_name']);
    
    // Define an empty array of allowed types
    $allowed_types = [];
    
    // Check if the file type is in the allowed types array
    if (!in_array($file_type, $allowed_types)) {
        die('File uploads are not allowed.');
    }
    
    // check the file extension
    $file_extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
    $allowed_extensions = [];
    
    if (!in_array($file_extension, $allowed_extensions)) {
        die('File uploads are not allowed.');
    }
    
    // If the file type and extension are allowed, proceed with the upload
    // (In this case, no file types or extensions are allowed, so this code will never be reached)
}
?>

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

huh? it's just a contact form, three fields, Name, Email and Phone. They can use the form to upload files???

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

I don't mind getting some spam, it's just I don't want my whole site deleted and replaced by a bunch of random pages (like had happened before)

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

and the risk of exploiting the server (putting files, executing, manipulating the db)?

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

so you think this, plus the prepared statements in my higher up example for the form itself, plus the recaptcha should be sufficient?

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

phew

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

only once the time limit is exceeded no?

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

this??

<?php
$ip_address = $_SERVER['REMOTE_ADDR'];
$time_limit = 60; // Time limit in seconds
$max_attempts = 5; // Maximum number of attempts allowed

// Connect to the database
$conn = new mysqli('hostname', 'username', 'password', 'database');

// Start a transaction
$conn->begin_transaction(MYSQLI_TRANS_START_READ_WRITE);

// Lock the table to prevent concurrent access
$conn->query("LOCK TABLES submissions WRITE");

// Check if the IP address exists in the database
$query = "SELECT * FROM submissions WHERE ip_address = ?";
$stmt = $conn->prepare($query);
$stmt->bind_param('s', $ip_address);
$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows > 0) {
    $row = $result->fetch_assoc();
    $last_attempt = strtotime($row['last_attempt']);
    $attempts = $row['attempts'];

    if (time() - $last_attempt < $time_limit) {
        if ($attempts >= $max_attempts) {
            // Unlock the table and rollback the transaction
            $conn->query("UNLOCK TABLES");
            $conn->rollback();
            die('You have exceeded the maximum number of submissions. Please try again later.');
        } else {
            $attempts++;
            $query = "UPDATE submissions SET attempts = ?, last_attempt = NOW() WHERE ip_address = ?";
            $stmt = $conn->prepare($query);
            $stmt->bind_param('is', $attempts, $ip_address);
            $stmt->execute();
        }
    } else {
        $query = "UPDATE submissions SET attempts = 1, last_attempt = NOW() WHERE ip_address = ?";
        $stmt = $conn->prepare($query);
        $stmt->bind_param('s', $ip_address);
        $stmt->execute();
    }
} else {
    $query = "INSERT INTO submissions (ip_address, attempts, last_attempt) VALUES (?, 1, NOW())";
    $stmt = $conn->prepare($query);
    $stmt->bind_param('s', $ip_address);
    $stmt->execute();
}

// Unlock and commit 
$conn->query("UNLOCK TABLES");
$conn->commit();

// sending email
mail($to, $subject, $message, $headers);
?>

<?php
$ip_address = $_SERVER['REMOTE_ADDR'];
$time_limit = 60; // Time limit in seconds
$max_attempts = 5; // Maximum number of attempts allowed

// Connect to the database
$conn = new mysqli('hostname', 'username', 'password', 'database');

// Start a transaction
$conn->begin_transaction(MYSQLI_TRANS_START_READ_WRITE);

// Lock the table to prevent concurrent access
$conn->query("LOCK TABLES submissions WRITE");

// Check if the IP address exists in the database
$query = "SELECT * FROM submissions WHERE ip_address = ?";
$stmt = $conn->prepare($query);
$stmt->bind_param('s', $ip_address);
$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows > 0) {
    $row = $result->fetch_assoc();
    $last_attempt = strtotime($row['last_attempt']);
    $attempts = $row['attempts'];

    if (time() - $last_attempt < $time_limit) {
        if ($attempts >= $max_attempts) {
            // Unlock the table and rollback the transaction
            $conn->query("UNLOCK TABLES");
            $conn->rollback();
            die('You have exceeded the maximum number of submissions. Please try again later.');
        } else {
            $attempts++;
            $query = "UPDATE submissions SET attempts = ?, last_attempt = NOW() WHERE ip_address = ?";
            $stmt = $conn->prepare($query);
            $stmt->bind_param('is', $attempts, $ip_address);
            $stmt->execute();
        }
    } else {
        $query = "UPDATE submissions SET attempts = 1, last_attempt = NOW() WHERE ip_address = ?";
        $stmt = $conn->prepare($query);
        $stmt->bind_param('s', $ip_address);
        $stmt->execute();
    }
} else {
    $query = "INSERT INTO submissions (ip_address, attempts, last_attempt) VALUES (?, 1, NOW())";
    $stmt = $conn->prepare($query);
    $stmt->bind_param('s', $ip_address);
    $stmt->execute();
}

// Unlock and commit 
$conn->query("UNLOCK TABLES");
$conn->commit();

// sending email
mail($to, $subject, $message, $headers);
?>

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

fml

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

so, like this?

<?php
$ip_address = $_SERVER['REMOTE_ADDR'];
$time_limit = 60; // Time limit in seconds
$max_attempts = 5; // Maximum number of attempts allowed

// Connect to the database
$conn = new mysqli('hostname', 'username', 'password', 'database');

// Check if the IP address exists in the database
$query = "SELECT * FROM submissions WHERE ip_address = ?";
$stmt = $conn->prepare($query);
$stmt->bind_param('s', $ip_address);
$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows > 0) {
    $row = $result->fetch_assoc();
    $last_attempt = strtotime($row['last_attempt']);
    $attempts = $row['attempts'];

    if (time() - $last_attempt < $time_limit) {
        if ($attempts >= $max_attempts) {
            die('You have exceeded the maximum number of submissions. Please try again later.');
        } else {
            $attempts++;
            $query = "UPDATE submissions SET attempts = ?, last_attempt = NOW() WHERE ip_address = ?";
            $stmt = $conn->prepare($query);
            $stmt->bind_param('is', $attempts, $ip_address);
            $stmt->execute();
        }
    } else {
        $query = "UPDATE submissions SET attempts = 1, last_attempt = NOW() WHERE ip_address = ?";
        $stmt = $conn->prepare($query);
        $stmt->bind_param('s', $ip_address);
        $stmt->execute();
    }
} else {
    $query = "INSERT INTO submissions (ip_address, attempts, last_attempt) VALUES (?, 1, NOW())";
    $stmt = $conn->prepare($query);
    $stmt->bind_param('s', $ip_address);
    $stmt->execute();
}

// Proceed with sending the email
mail($to, $subject, $message, $headers);
?>

<?php
$ip_address = $_SERVER['REMOTE_ADDR'];
$time_limit = 60; // Time limit in seconds
$max_attempts = 5; // Maximum number of attempts allowed

// Connect to the database
$conn = new mysqli('hostname', 'username', 'password', 'database');

// Check if the IP address exists in the database
$query = "SELECT * FROM submissions WHERE ip_address = ?";
$stmt = $conn->prepare($query);
$stmt->bind_param('s', $ip_address);
$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows > 0) {
    $row = $result->fetch_assoc();
    $last_attempt = strtotime($row['last_attempt']);
    $attempts = $row['attempts'];

    if (time() - $last_attempt < $time_limit) {
        if ($attempts >= $max_attempts) {
            die('You have exceeded the maximum number of submissions. Please try again later.');
        } else {
            $attempts++;
            $query = "UPDATE submissions SET attempts = ?, last_attempt = NOW() WHERE ip_address = ?";
            $stmt = $conn->prepare($query);
            $stmt->bind_param('is', $attempts, $ip_address);
            $stmt->execute();
        }
    } else {
        $query = "UPDATE submissions SET attempts = 1, last_attempt = NOW() WHERE ip_address = ?";
        $stmt = $conn->prepare($query);
        $stmt->bind_param('s', $ip_address);
        $stmt->execute();
    }
} else {
    $query = "INSERT INTO submissions (ip_address, attempts, last_attempt) VALUES (?, 1, NOW())";
    $stmt = $conn->prepare($query);
    $stmt->bind_param('s', $ip_address);
    $stmt->execute();
}

// Proceed with sending the email
mail($to, $subject, $message, $headers);
?>

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

seems so

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

how is anyone implementing forms on their sites!?!

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

omg

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

the ip address can be manipulated to inject sql code???

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

which part do you see as a possible injection risk? none of this is coming from the form fields. not sure I understand what you meant by not needing to read and send to the database to increment, and yes, removing the closing tag for server efficiency, just keeping it there when doing snippet examples

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

then how about using the database to store the session details such as:

<?php
$ip_address = $_SERVER['REMOTE_ADDR'];
$time_limit = 60; // Time limit in seconds
$max_attempts = 5; // Maximum number of attempts allowed

// Connect to the database
$conn = new mysqli('hostname', 'username', 'password', 'database');

// Check if the IP address exists in the database
$query = "SELECT * FROM submissions WHERE ip_address = '$ip_address'";
$result = $conn->query($query);

if ($result->num_rows > 0) {
    $row = $result->fetch_assoc();
    $last_attempt = strtotime($row['last_attempt']);
    $attempts = $row['attempts'];

    if (time() - $last_attempt < $time_limit) {
        if ($attempts >= $max_attempts) {
            die('You have exceeded the maximum number of submissions. Please try again later.');
        } else {
            $attempts++;
            $query = "UPDATE submissions SET attempts = $attempts, last_attempt = NOW() WHERE ip_address = '$ip_address'";
            $conn->query($query);
        }
    } else {
        $query = "UPDATE submissions SET attempts = 1, last_attempt = NOW() WHERE ip_address = '$ip_address'";
        $conn->query($query);
    }
} else {
    $query = "INSERT INTO submissions (ip_address, attempts, last_attempt) VALUES ('$ip_address', 1, NOW())";
    $conn->query($query);
}

// Proceed with sending the email
mail($to, $subject, $message, $headers);
?>

<?php
$ip_address = $_SERVER['REMOTE_ADDR'];
$time_limit = 60; // Time limit in seconds
$max_attempts = 5; // Maximum number of attempts allowed

// Connect to the database
$conn = new mysqli('hostname', 'username', 'password', 'database');

// Check if the IP address exists in the database
$query = "SELECT * FROM submissions WHERE ip_address = '$ip_address'";
$result = $conn->query($query);

if ($result->num_rows > 0) {
    $row = $result->fetch_assoc();
    $last_attempt = strtotime($row['last_attempt']);
    $attempts = $row['attempts'];

    if (time() - $last_attempt < $time_limit) {
        if ($attempts >= $max_attempts) {
            die('You have exceeded the maximum number of submissions. Please try again later.');
        } else {
            $attempts++;
            $query = "UPDATE submissions SET attempts = $attempts, last_attempt = NOW() WHERE ip_address = '$ip_address'";
            $conn->query($query);
        }
    } else {
        $query = "UPDATE submissions SET attempts = 1, last_attempt = NOW() WHERE ip_address = '$ip_address'";
        $conn->query($query);
    }
} else {
    $query = "INSERT INTO submissions (ip_address, attempts, last_attempt) VALUES ('$ip_address', 1, NOW())";
    $conn->query($query);
}

// Proceed with sending the email
mail($to, $subject, $message, $headers);
?>

This plus ReCaptcha should do it? or can they still be bypassed?

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

oh didn't consider rate limiting, thank you, would throttling like this work?

<?php
session_start();
$time_limit = 60; // Time limit in seconds

if (isset($_SESSION['last_submission'])) {
    $last_submission = $_SESSION['last_submission'];
    if (time() - $last_submission < $time_limit) {
        die('Please wait before submitting the form again.');
    }
}

$_SESSION['last_submission'] = time();

// Proceed with sending the email
mail($to, $subject, $message, $headers);
?>

<?php
session_start();
$time_limit = 60; // Time limit in seconds

if (isset($_SESSION['last_submission'])) {
    $last_submission = $_SESSION['last_submission'];
    if (time() - $last_submission < $time_limit) {
        die('Please wait before submitting the form again.');
    }
}

$_SESSION['last_submission'] = time();

// Proceed with sending the email
mail($to, $subject, $message, $headers);
?>

89 replies

KPCKevin Powell - Community

•Created by raw-power on 1/21/2025 in #back-end

Forms and Site Security Help

I don't need gdpr where I am which is why it's not implemented. why do you say sending from my own server would be an annoying amount of work?

89 replies

Gaming

Programming