Similarly, I could adjust my brute force attack to sleep() a pre-determined amount of time too ;-) The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate and be done. A better way to stop attacks is to have a tally of failed logins if you really are that worried someone is going to brute-force you. Then after 3 fails, just don't let that IP connect or add other intelligent handling. Maybe add them to a 'ban list' after x amount of failed tries. You can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever. > -----Original Message----- > From: John W. Holmes [mailto:holmes072000@xxxxxxxxxxx] > Sent: Tuesday, July 20, 2004 7:10 AM > To: ..: GamCo :.. > Cc: php-db@xxxxxxxxxxxxx > Subject: Re: Wait Statement... ? > > ..: GamCo :.. wrote: > > ok, i added the sleep() function in my page. what i'm > basically doing is :- > > > > i have a .php page where people log-in from. from there i > send the form to > > another .php page that actually checks the login and > registers a session > > with the username and password as session variables. then > on the page that > > actually does the validation, i have something that says : > validating > > login... sleep 1 funtion. then, i have another line that > says validation > > successfull... sleep 1 function and then i have another > line that says > > redirecting... with sleep 1 function and then header > redirects to the actual > > logged-in.php file. the redirect and validation works > perfectly as well as > > the sleep functions, but it now doesn't display the > validating login... blah > > blah blah stuff which is done in normal html code... > > You are very confused. Read the manual page on header(). You > can't have > any output before you try to redirect with a header(). > > If you're trying to implement some sort of brute force protection by > using sleep(), you're using it in the wrong method, anyhow. > Your login > processing script should sleep for a second or two whether > the login is > correct or not and it should be the first thing that it does (i.e. > before any output or redirection). If you only sleep() on > failures and > redirect on good logins, brute force methods can pick up on that and > adjust their methods to get around the wait time. > > -- > ---John Holmes... > > Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ > > php|architect: The Magazine for PHP Professionals - www.phparch.com > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
