PDA

View Full Version : .htaccess and MySQL



Techykid3
08-28-2011, 08:38 PM
I want to pull a list of banned IP's from a MySQL database.

And/or, how does forum software ban IP addresses, does it somehow insert into a .htaccess file?

Orrr... Is there a way to ban users without using .htaccess, what I want to do is use a php file, to ban someone, I would put a link, that would be like this: http://mysite.com/xxxxxx/ban.php?ip=xx.xx.xx.xx

traq
08-28-2011, 11:16 PM
why ip banning is useless (http://kalsey.com/2004/02/why_ip_banning_is_useless/)

additionally, I would strongly recommend not using a url as your user interface. Anyone who knows (or discovers) the location of your banning script could start banning legitimate users from your site, without your knowledge.

the internet is designed so that GET requests (in the url, after the ?) are solely for asking for info from a site. To make changes, you should be using forms and the POST request method.

--------------------------
now that that's cleared up, here's what you want to do:

1. set up a database to hold the banned ip addresses.
2. php can use $_SERVER['REMOTE_ADDR'] to get the ip address of the user.*
3. check the current ip against those in the database. if there is a match, stop the script (or redirect, etc.).

to add an address to your banned list:
1. make a form where you can submit the ip address.
2. add the address to your database.

*_supposed_ ip address. read my first link above.

forum software will all have different approaches, but they're all equally ineffective. it's pretty easy to find tutorials (http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=php+mysql+ip+banning), though.

JShor
08-29-2011, 12:25 AM
I concur with everything Adrian just said, and I add that you should just modify your .htaccess file with PHP, and just ignore MySQL entirely. Not only does it make things much slower, it's also more elegant.

traq
08-29-2011, 03:31 AM
true, but if you go that route, make sure your script is very well-written, secure, with tight validation. one typo in .htaccess will kill your whole site. and an inserted line will give it to someone else.

djr33
08-29-2011, 04:28 AM
What do you mean by "give it to someone else. "?

traq
08-29-2011, 05:14 AM
for example, if the script is poorly validated, a malicious user might figure out a way to insert entire lines in your htaccess file. issue redirects to a spoof site. password-protect it and lock you out, maybe.

unlikely, but possible. and you can delete the file via ftp if you have to. but it's still a risk.

djr33
08-29-2011, 05:57 AM
Ah, yes. ".htaccess injection". That's a new one. Good point.

traq
08-29-2011, 04:01 PM
as I said, unlikely - it's far more likely you'll just break your site with a typo. but htaccess is _far_ more powerful than most people realize.

Techykid3
08-29-2011, 06:28 PM
And how would I list the banned IP's on a website, if I did use PHP.

And how do I use PHP to connect to the .htaccess file?

JShor
08-29-2011, 07:41 PM
You would open the file remotely, ensuring that only your server has read/write permission on the file. Then you would write to it, and close the file.

Something like this:


$ip = "192.168.0.1";
$dir = "/home/directory/.htaccess";

$htaccess = fopen($dir);
$contents = file_get_contents($dir);

fwrite($htaccess, $contents."\nDENY FROM $ip");
fclose($htaccess);


This is purely sample code for demonstration only. Please don't sue me.

Techykid3
09-01-2011, 08:37 PM
You would open the file remotely, ensuring that only your server has read/write permission on the file. Then you would write to it, and close the file.

Something like this:


$ip = "192.168.0.1";
$dir = "/home/directory/.htaccess";

$htaccess = fopen($dir);
$contents = file_get_contents($dir);

fwrite($htaccess, $contents."\nDENY FROM $ip");
fclose($htaccess);


This is purely sample code for demonstration only. Please don't sue me.
What does "Dont sue me" mean? This isn't legal stuff lol.

JShor
09-01-2011, 09:04 PM
Did you get it working?