IP blocking in high score script

deurwaarder

Hi all.

I think some of you might be familiar with the kids who feel all hardcore because they know php injection and put themselves on the #1 spot of the high score list or even flood it.

When I got the script for the high score I added ip logging in it. So the one posting high score also posts his ip. So I have the bad ip’s and now I only need to block them but I have no clue how.

The idea: I would like to put all the blocked ip’s in a separate php page that would look something like this I think:

 $bad_ip = array('255.255.255.250','255.255.255.251','255.255.255.252','255.255.255.253','255.255.255.254','255.255.255.255');

Then I would have to change the high score script. Before posting the high score, “high_score.php” should get the bad_ip variable from “bad_ip.php”. If it sees that the current high score submitter has one of the bad ip’s then it should block him (optional: a message saying for example: “go to bed kid”).

Below is the high score code:

<?php
session_start();
function redirect($url) { 
	die('<meta http-equiv="refresh" content="0;URL='.$url.'">'); 
}
if(isset($_POST["userName"])){
	$userName = $_POST["userName"];
	$time = time();
//	$ip = $_SERVER["REMOTE_ADDR"];
	$scoreDate =  date("Y-m-d H:i:s",$time);
	if (!$_SERVER['REQUEST_METHOD'] == "POST" || !$userName){
		$myScoreDB = -1;
		$addFlag = " : tried to add: ".$myScore;
	}else{
		$myScoreDB = $myScore;
	}
	if ($_SERVER['REQUEST_METHOD'] != "POST"){
		$myScoreDB = -1;
		$addFlag = " : tried to add: ".$myScore;
	}
	$sql = "insert into firewall_scores (userName,userScore,scoreDate,scoreFrom,ip) values ('$userName',$myScoreDB,'$scoreDate','".$_SERVER['HTTP_REFERER']." : ".$_SERVER['REQUEST_METHOD']." : ".$scoreValid.$addFlag."','".$_SERVER['REMOTE_ADDR']."')";
	$conn = mysql_connect("localhost", "xxxx", "xxxxxxxx");
	$dbName = "data";
	mysql_select_db($dbName,$conn);
	if (mysql_query($sql,$conn)){
		echo "&scoreIn=1";
		exit;
	}else{
		echo "&scoreIn=0";
		echo "&scoreError=".mysql_error();
		exit;
	}
}
?>

So could somebody please help? I’ve read various posts on what to do but I have no idea where to add the code. All help is appreciated.

Thanks

leatherback

Hey Deurwaarder,

Two questions:
1 - How good are your PhP skills?
2 - What is the criterium for banning?

That being said:
Since you have a database, use it. I am not sure how frequent this table would be updated, or how many users you have. Also... The people that flood, are usually online in one session, or come back?

You could set a session variable, say, post_counts, and one for start session. With those you could measure how long someone is online, and how many posts this person has made, and use these as a criterion. Or you could store the number of posts of each IP address in the database, and update whenever they post: Get the count, if less then a certain nuber, add one, and post.
Or.. You could search the database every hour, and create a summary of the posts in the database, for each IP address.

But it all depends on the sort of spam, the usage of your site, and the method with which you have spams.

Of course, you can also add a random code image to your website. THat takes a lot of fun away, I think.

deurwaarder

My php skills are minimum. Sure i can find the right code but then i fail the logic to insert the code in the right place, the right way.

But correct me if I’m wrong: you are talking about forum right? My problem has to do with high score code (after you play a flash game and submit the score), not forum =).

My criteria for banning are when I clearly see that a score is fake. I collect all the malicious ip so that it’s easier to weed out returning php injectors. Just need a way to block them form submitting the score.

The code that ads the score to the db should first check the ip of the submitter, then see if he is part of the banned ip’s, if not submit the score, if yes prohibit him from submitting the score.

leatherback

Hi,

Then I think it might be wise to work a little on learning a bit of PhP, if you are getting into editing an online game. There is probably a lot you will encounter, that requires some understanding of what you do.

For your problem; The specific application (Game scores, forum, ..) doesn't matter for how to solve the problem. The way of assessing what is permittable is: Here you do not need to store the IP, I think, since you make a cut-off of realistic and non-realistic scores.

You could just say:

if($submittedscore > 10000)
  {
  echo "I am sorry, but I do not believe you.";
  }
else
  {
  // Do your insert stuff here
  }

ysu

One thing to mention with the score banning method though:
The kid can figure out the limit, and hit just below it...
These kids have a lot of time and they can be resourceful 😉

I'd do the IP banning, or both: ban the IP if a score over the limit is submitted!
That way one kid have one try only...😃

have a table of banned IP's and do a select for it when an over-limit score is given,
then when they enter the score if it's over the limit just add the ip to the ip table with 'replace into' to avoid duplicates (use a unique key on it).

chrislive

try this:

<?php
session_start();
function redirect($url) {
    die('<meta http-equiv="refresh" content="0;URL='.$url.'">');
}
if(isset($_POST["userName"])){
    $userName = $_POST["userName"];
    $time = time();
//    $ip = $_SERVER["REMOTE_ADDR"];
    $scoreDate =  date("Y-m-d H:i:s",$time);
    if (!$_SERVER['REQUEST_METHOD'] == "POST" || !$userName){
        $myScoreDB = -1;
        $addFlag = " : tried to add: ".$myScore;
    }else{
        $myScoreDB = $myScore;
    }
    if ($_SERVER['REQUEST_METHOD'] != "POST"){
        $myScoreDB = -1;
        $addFlag = " : tried to add: ".$myScore;
    }

   // Added Code Start

   // Check the Database for the IP
    $query_bannedip = "SELECT * from firewall_banned_ips WHERE `ip` = '$_SERVER['HTTP_REFERER']';";
    $result_bannedip = @mysql_query ($query_bannedip);

// Count the Rows
$countrows_result_bannedip = mysql_num_rows($result_bannedip);

// If the count != 0 then dont run the SQL
if($countrows != "0")
  {
    echo "Naughty Little Boy";
  }
else
  {

        // Allow the SQL INSERT

        $sql = "insert into firewall_scores (userName,userScore,scoreDate,scoreFrom,ip) values ('$userName',$myScoreDB,'$scoreDate','".$_SERVER['HTTP_REFERER']." : ".$_SERVER['REQUEST_METHOD']." : ".$scoreValid.$addFlag."','".$_SERVER['REMOTE_ADDR']."')";
        $conn = mysql_connect("localhost", "xxxx", "xxxxxxxx");
        $dbName = "data";
        mysql_select_db($dbName,$conn);
        if (mysql_query($sql,$conn)){
            echo "&scoreIn=1";
            exit;
        }else{
            echo "&scoreIn=0";
            echo "&scoreError=".mysql_error();
            exit;
        }
  }
}
?>

You would need to create that table and put in the bad ips.

deurwaarder

leatherback wrote:
Hi,

Then I think it might be wise to work a little on learning a bit of PhP, if you are getting into editing an online game. There is probably a lot you will encounter, that requires some understanding of what you do.

For your problem; The specific application (Game scores, forum, ..) doesn't matter for how to solve the problem. The way of assessing what is permittable is: Here you do not need to store the IP, I think, since you make a cut-off of realistic and non-realistic scores.

I know i have to get in to PHP more and i will. But atm I’m in the process of expanding the site, redesigning it and expanding the advertisers list. That all already puts flash game making to the back, so doing PHP stuff is driven even further down the list. But when stuff like this accrues I have no choice. Clearly these kids have no idea how they can mess up a webmasters schedule.

But about that maximum score: the latest injected score was +1 higher then the second score so they try to be discreet but the ip shows it all. Just like ysu said: they work around it. btw, sounds like a complex but good thing ysu. I noted that one down. Thank you both for your replies.

chrislive wrote:
try this:

I made a table named “banned_ip” and I also changed the name in the PHP script to that table. In the table I added a field named “ip”.

But I’m getting this:

Parsing Error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING (line 25)

I tried some things but they all seem to fail. Some help please?

Thanks

ysu

check if all quotes are closed, semi-commas are in place...
there's a syntax error somewhere! 🙂

chrislive

its talking about line 25.. so that is this one:
$query_bannedip = "SELECT * from firewall_banned_ips WHERE ip = '$_SERVER['HTTP_REFERER']';";

try this:

$query_bannedip = "SELECT * from firewall_banned_ips WHERE ip = '$_SERVER[HTTP_REFERER]';";

or even

$this_ip = $_SERVER['HTTP_REFERER'];
$query_bannedip = "SELECT * from firewall_banned_ips WHERE `ip` = '$this_ip';";

ysu

this one is not in a working shape:

$query_bannedip = "SELECT * from firewall_banned_ips 
  WHERE `ip` = '$_SERVER[HTTP_REFERER]';";

it should read:

$query_bannedip = "SELECT * from `firewall_banned_ips` 
  WHERE `ip` = '{$_SERVER['HTTP_REFERER']}'";

Although this will not cause a parse error i think.
The other one is good.

You may have the open quote or bracket causint the problem earlier, syntax errors are not always caused where the error comes up. If you can put your hands on a syntax checher app (zend studio for example) it can simplify this process for you.

MarkR

You should modify the Flash game so that it sends some security code with the high score. This should be created from hashing the player's name and score (with some secret value). The PHP code should do the same hashing and compare the result. If it's different, you should reject the high score.

Of course this is still very easily hackable, but slightly more difficult that's all. I guess it will stop those kiddies.

You may want to consider using HTTPS as well, as then they can't dump the request using (e.g.) Ethereal.

Mark

deurwaarder

Thanks for all the input again all =)

But I’m still getting errors. Something, somewhere in the code is wrong. I tried all the suggestions and all gave me this error:

Parsing Error: parse error, unexpected $ (line 53)

That is the last line so that seems not like the problem to me. The error could be anywhere. Just for the record: I am using Zend and that is the error I get after analyzing the code.

MarkR wrote:
You should modify the Flash game so that it sends some security code with the high score. This should be created from hashing the player's name and score (with some secret value). The PHP code should do the same hashing and compare the result. If it's different, you should reject the high score.

That sounds good. The only way they could find out is via decompiling. But I would use the same obscurification technique I used with the link to the score PHP. But in this case, an obscurefied variable is harder to find. My next game high score will have a higher level of security.

There are so many methods. I’ve read stories about ppl wanting to run the scores via SSL and use salted MD5 codes etc. It’s crazy that you have to resort to those things.

But yeah, just a little more help.

Thanks

deurwaarder

:o I really can't do this on my own. Need some help.

Btw, the same guy was at it again. I have a link to his fun blog and his main blog because he was stupid enough to link to my site to show others what he did. Seriously thinking about making a nice little flash involving him, his girlfriend, friends and family