Webmaster Forum Rules | Posting Guide | Contact Us | Testimonials | Contributing Geek Program | Advertise on Geek/Talk
Welcome to the GeekTalk Webmaster Discussion Forums from GeekVillage.com

Click Here To Register. It's Free!

Go Back   geek/talk: Signature-free discourse for serious web publishers > YOUR CREATION: Building & Maintaining A Web Site > Web Development - Programming / Coding
User Name
Register FAQ Calendar Search Today's Posts Mark Forums Read

Thread Tools Display Modes
Old 06-09-2003, 12:27 PM   #1
Registered User
pdawg's Avatar
Join Date: Nov 2002
Location: Michigan, USA
Posts: 141
Default preventing a db flood

Before I sit down and write some code to address my problem, I thought I would post it here and see if anyone knows of anything already out there I can utilize...

I have a problem where sometimes a malicious user will write a script to repeatedly access a URL (with different query strings) and as a result will keep entering records into my database.

What I would like to do is have soemthing where if the user has accessed my server x times in the last y minutes then his IP will be blocked from the site. I considered doing this with session variables but since I have alot of users on this site, I feel that my memory usage may sharply increase and thus degrade performance. Also I dont know how to interface this with IIS to block the IP (I am using windows 2000 server and sql server 2000)

any ideas?

The only thing i have thought of is to have a table store the IPs and hits in the past y minutes and just work on something from there ... but that means then every hit to the site results in accessing a db and updating a record.

pdawg is offline   Reply With Quote
Old 06-09-2003, 02:51 PM   #2
Elemental Thought
Registered User
Elemental Thought's Avatar
Join Date: Apr 2003
Location: BC, Canada
Posts: 150

I utilize a similar method to what you're describing, pdawg. However, I don't use it for every page, I normally only do it for pages that could be a problem, such as where the user can fill out a form.

What I do is I record the ip and set an expiry timestamp, generally a few seconds into the future. Then, when the form is submitted, I do a check to see if that IP address already has an entry in my table, and whether or not the entry has expired.

It works fairly well, but it would be definitely hard to implement for every page. Is it possible for you to convert your pages to use POST instead of GET when moving around the site? That would at least hide the urls, and the script kiddies wouldn't be as inclined to write a script to access them.
Elemental Thought is offline   Reply With Quote


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Preventing ad blockers gandalf Making Money with CPC and/or CPM Programs 3 06-12-2003 04:44 PM
Email virus flood...HELP! Rhea Web Design and Webmaster Issues 17 03-05-2002 08:19 PM
preventing image hotlinking.. Helza Web Hosting Discussion 9 12-28-2000 02:35 AM
preventing image hotlinking.. Helza Web Design and Webmaster Issues 8 12-27-2000 01:08 PM

Please support our advertisers. They ensure our survival.

All times are GMT -5. The time now is 10:24 AM.

GeekVillage.com is copyright © 1998-2015 Curiosity Cave - Science gifts for clever kids. All rights reserved.
Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.