[Q] How easy/hard is this system from the attack???

cyanblue

Happy new year to you all... 🙂

I am thinking of creating something in PHP and I'd like to ask how hard/easy it is to crack this system...

Okay... This is basically a PHP script that is placed in a public space with no user validation system... Basically what this PHP script will do is to save/retrieve sequence of strings to the people who have registered for the service... (Nothing has been written yet... It's in one of my new year resolution... 😃)

The user first registers his account and I create a unique user id... I get his server ip address by accepting the domain name where this service will be provided to the end user... I then use this ip address to validate whether the given user id matches the ip address that is stored in the database... (ip address will needs to be somehow automatically generated on my end by checking the $_SERVER['REMOTE_ADDR'] variable in my PHP script rather then getting it from the user...

If it matches, I then go on and save the string like this...

save.php?userid=1234&str=please save this string

I use the same system to retrieve the string only when the userid and the ip address matches...

load.php?userid=1234

So, do you think this can be broken easily??? I am not thinking of paying service, so I can add no logic to the user validation, but I want to add at least some level of the user validation if it is not too much of trouble... I am going to set the limit on the database so that the user cannot write more than certain limit, so it is not a big deal if somebody is keep hitting my PHP script from the same ip address(which can be happen if two users are using the same shared hosting, which I cannot do anything about...)

Any thoughts would be appreciated...

Thank you...

Roger_Ramjet

Not going to work at all. IP addresses are no use since most people are either getting one dynamically from their ISP, or surfing through a proxy with a static IP and NAT. You will quickly run into problems, or rather your users will. Use a cookie if you must avoid logins, or rethink the whole approach.

cyanblue

Thanks for the reply, Roger Ramjet... 🙂

Maybe I was not explaining it clearly... I was not talking about the end user... Let's say for example that I am trying to provide a service for a people who does not have an access to the PHP on their host... Their website should have its own ip address by their domain name... I just need to keep track of that ip address and verify whether the call was made from that specific ip address that I have on my database... The only complication that I can think of by using that is when domaina.com and domainb.com are using same host which uses shared hosting which in turn will be rendering out the same ip address...

Is it still the same case or how am I approaching it???

Thanks... 🙂

rehfeld

if they dont have access to php, or another way of server scripting, how can they access your service?

if your talking about using web bugs(like 1px clear gifs) then you cant get the ip of the domain anyway, you can only get the ip of the visitor requesting that image.

cyanblue

Howdy, rehfeld... 🙂

if they dont have access to php, or another way of server scripting, how can they access your service?

I was thinking of accessing my service via iframe of something where you can actually call http://www.myservice.com/load.php?userid=1234 or similar... Will it not work??? 🙁

you can only get the ip of the visitor requesting that image.

Hm... Yeah... I guess you are right about that... 🙁

Any other idea on this validation??? 🙂