page that automatically updates database ?

Simonhurst

hi guys
I run a website that has been a target for hackers 🙁 now ive placed some extra security into the pages that they were using to get in i,ve made a standard 403 page but i would like to log the IP address that get to this page i have done this but it needs two pages and the guy to press a button i would like it so as soon as they see the page it does the log is this possible heres the code i use at the momemnt

page 1 403 page

<html>

<head>
  <title>403 Error Page</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head>

<body bgcolor="f8e5bb">
 <?php
        include("con.php");

 $sql = "SELECT * FROM banlist order by ban_id ";

	$sql_result = mysql_query($sql) or die(mysql_error());


	if (!$sql_result) {

		echo "<P>Couldn't get item!";

	} else {

	$row 		= mysql_fetch_array($sql_result);
  $ban_id = $row["ban_id"];
  $ban_ip = $row["ban_ip"];
  $datefield= $row["datefield"];
 }


  echo"	<FORM method=\"POST\" action=\"indexip.php\"> ";

echo"<p align=center><img src=\"logo.gif\" width=\"800\" height=\"100\"> </p>";
echo"<div align=\"center\">         ";
echo"<p>&nbsp;</p>        ";
 echo"<p align=\"center\"><b>Sorry </b></p>";
 echo"<p align=\"center\"><b>You seem to have requested a page that is not available!</b></p>";

echo "<p align=center><tr>";
		  echo"	<INPUT type=\"hidden\" name=\"ban_ip\" value=\"$REMOTE_ADDR\" size=8 maxlength=8></p></TD> ";

 echo"</div><br>";
	echo"</tr>";

 echo" <p align=center><input type=\"submit\" value=\"Press here to Go back to FalconUK\"></p> <br><hr width=\"800\" size=\"10\" noshade color=\"#c5bcce\"> ";
 ?>
</body>
</html>

page two this is sort of hidden

<html>

<head>
  <title></title>
</head>

<body>

<?
           $sql = "INSERT INTO banlist VALUES ('$ban_id', '$ban_ip', now())";

include("con.php");
    $sql_result = mysql_query($sql) or die(mysql_error());
        if (!$sql_result) {

		echo "<P>Couldn't modify record!</p>";

	} else {
    echo "<META HTTP-EQUIV=\"Refresh\" Content=\"0; URL=index.php\">";
      }
  ?>



</body>

</html>

mtimdog

On the first page, in your php put

<?php
//set $ban_ip here
//use '' for ban_id so it auto-increments
$sql = "INSERT INTO banlist VALUES ('', '$ban_ip', now())"; 

include("con.php"); 
    @mysql_query($sql);
//don't die and give them the error--don't want to give them any idea that they are being tracked.
//done
?>

Then at the top of all your pages you could check the ip to see if it's in the banlist and not show any of your pages to them.

Simonhurst

Thankyou very much mtimdog

1 more question what did you mean by this :

Then at the top of all your pages you could check the ip to see if it's in the banlist and not show any of your pages to them

would there be a way to check the db for there ip from the table and if banned they get the standard 404 page ?

as it is at the moment anyone who tries to get into my sensitive pages are checked by this script :

 $ip = getenv("REMOTE_ADDR");
if ($ip != "145.126.145.22" AND $ip != "145.126.145.22") {

 echo "<META HTTP-EQUIV=\"Refresh\" Content=\"0; URL=403.php\">";
}

which only allows my IP into the page now
sorry if i sound to paranoid here but wanna close as many holes as possible

weekender

basically, at the top of each page, you read in the list of banned ips, and if the users ip is in the list, don't show them anything

// get the users ip
$ip = getenv("REMOTE_ADDR");

// look for that ip in the table of banned ips
$sql = "SELECT * FROM bannedips WHERE ip = '$ip'";

//query the db (i didn't show the connection code)
$result = mysql_query($sql);

// if at least one matching row is found
if(mysql_num_rows($result) >= 1){

// redirect to 403
header("Location: 403.php"); // this is more secure than meta tags
echo "<META HTTP-EQUIV=\"Refresh\" Content=\"0; URL=403.php\">";
}

hope this helps

adam

Simonhurst

hi guys
hmmm can you see whats i did wrong here seems not to be inserting the IP but the others are ok

<?php
        include("conn.php");

 $sql = "SELECT * FROM banlist order by ban_id ";

	$sql_result = mysql_query($sql) or die(mysql_error());


	if (!$sql_result) {

		echo "<P>Couldn't get item!";

	} else {

	$row 		= mysql_fetch_array($sql_result);
  $ban_id = $row["ban_id"];
  $ban_ip = $row["ban_ip"];
  $datefield= $row["datefield"];
 }


  echo"	<FORM method=\"POST\" action=\"index.php\"> ";

echo"<p align=center><img src=\"logo.gif\" width=\"800\" height=\"100\"> </p>";
echo"<div align=\"center\">         ";
echo"<p>&nbsp;</p>        ";
 echo"<p align=\"center\"><b>Sorry </b></p>";
 echo"<p align=\"center\"><b>You seem to have requested a page that is not available!</b></p>";

echo "<p align=center><tr>";
		  echo"	<INPUT type=\"hidden\" name=\"ban_ip\" value=\"$REMOTE_ADDR\" size=8 maxlength=8></p></TD> ";

   echo"</div><br>";
	echo"</tr>";
                           //set $ban_ip here
//use '' for ban_id so it auto-increments
$sql = "INSERT INTO banlist VALUES ('', '$ban_ip', now())";
   @mysql_query($sql);
//don't die and give them the error--don't want to give them any idea that they are being tracked.
//done
 echo" <p align=center><input type=\"submit\" value=\"Press here to Go back to FalconUK\"></p> <br><hr width=\"800\" size=\"10\" noshade color=\"#c5bcce\"> ";
 ?>