Why silly?? it just makes you wait one second on the login page BEFORE the validation process, not on other pages. I use it everywhere. Ignatius _________________________ ----- Original Message ----- From: "Daevid Vincent" <daevid@xxxxxxxxxx> To: <php-db@xxxxxxxxxxxxx> Cc: "'..: GamCo :..'" <post@xxxxxxxxx>; "'John W. Holmes'" <holmes072000@xxxxxxxxxxx> Sent: Tuesday, July 20, 2004 9:47 PM Subject: RE: Wait Statement... ? > Similarly, I could adjust my brute force attack to sleep() a pre-determined > amount of time too ;-) > > The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate > and be done. A better way to stop attacks is to have a tally of failed > logins if you really are that worried someone is going to brute-force you. > Then after 3 fails, just don't let that IP connect or add other intelligent > handling. Maybe add them to a 'ban list' after x amount of failed tries. You > can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever. > > > -----Original Message----- > > From: John W. Holmes [mailto:holmes072000@xxxxxxxxxxx] > > Sent: Tuesday, July 20, 2004 7:10 AM > > To: ..: GamCo :.. > > Cc: php-db@xxxxxxxxxxxxx > > Subject: Re: Wait Statement... ? > > > > ..: GamCo :.. wrote: > > > ok, i added the sleep() function in my page. what i'm > > basically doing is :- > > > > > > i have a .php page where people log-in from. from there i > > send the form to > > > another .php page that actually checks the login and > > registers a session > > > with the username and password as session variables. then > > on the page that > > > actually does the validation, i have something that says : > > validating > > > login... sleep 1 funtion. then, i have another line that > > says validation > > > successfull... sleep 1 function and then i have another > > line that says > > > redirecting... with sleep 1 function and then header > > redirects to the actual > > > logged-in.php file. the redirect and validation works > > perfectly as well as > > > the sleep functions, but it now doesn't display the > > validating login... blah > > > blah blah stuff which is done in normal html code... > > > > You are very confused. Read the manual page on header(). You > > can't have > > any output before you try to redirect with a header(). > > > > If you're trying to implement some sort of brute force protection by > > using sleep(), you're using it in the wrong method, anyhow. > > Your login > > processing script should sleep for a second or two whether > > the login is > > correct or not and it should be the first thing that it does (i.e. > > before any output or redirection). If you only sleep() on > > failures and > > redirect on good logins, brute force methods can pick up on that and > > adjust their methods to get around the wait time. > > > > -- > > ---John Holmes... > > > > Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ > > > > php|architect: The Magazine for PHP Professionals - www.phparch.com > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
