Security hack :)

[eluser]flash_back[/eluser]
I need some help, I have small social network (only 200+ users so far, but soon coming up faster server and network will grow up) and I want to protect from spam robots etc...

you maybe found better solution (please teal me if it so) but mine is to attach hidden field in form helper, and when ever form is open its contain security code (md5 hash of time and random string) which follows it while you/user doing anything whit DB!

ok, so problem is that I cant call post parameter from DB_driver.php // query function || to see if its set, and is it is so, check it whit session security code, if is not OK - go back from that anobody, anything better maybe???

[eluser]flash_back[/eluser]
wrong, I test it from bot side that dont send security code... when small patch is finish I will upload it

[eluser]flash_back[/eluser]
anybody HELP I am jammed

---

how from DB_driver.php to call session function???

i am trying something like this:

$this->CI=& get_instance();
$this->CI->load->library('db_session');

it's load it, but I cant call userdata function $this->CI->db_session->userdata('sigurnosni_kod');

[eluser]WanWizard[/eluser]
Don't know what you're trying to do, but it looks like you're making it way to complicated.

Use the normal CI session library, and configure it for database sessions. Never destroy the session, always rotate the session id's, and also when the security level of a user changes.

Use a random generated nonce to protect every form. Store these nonces in the users session, together with an expiry timestamp, and the form name (for maximum security). When the form is posted, first check the nonce and form name against the session. If the nonce is not present, or expired, terminate the process and redirect to an error page. Only when the nonce passes inspection, continue with validating the fields on your form.

If you use base controllers, you can even do this check in the base controller constructor, so the request doesn't even get to your controller method if the nonce check fails.

No need to do this as deep in the system as the database driver. Block strangers at the gate, not wait until they're in your basement.

[eluser]flash_back[/eluser]
tnx for great answer at the end, philosophy i would like to say but something like that I am trying to do! in a session is security code, that follow user/visitor try site..

I am still on my modification of FreakAuth Lite and CI 1.6.2, I need a full year to develop forum, user CP, image gallery etc.. so I stand little behind now

anyway, that is nice, but when somebody (like hackers) develop spam robot it need to keep it on the gate and secure a basement too! on your way, if robot is develop it can spam (do anything) because he get a session and form, same value! just use now and he will keep rocking network... this is all ready done for forum, this way (little different) I check if somebody all ready posted before you open a post window etc..

on this way, any time when somebody wont to post on two different forms (maybe uploading images, or forum topic / post) he will get one "bad" redirect! mine way is to attach hidden field in form helper to not edit mill functions, and when form is passed code in session is changing, when is bad code, session changing too!

my way is (all ready mill functions) to whit change of few lines make block of possible hackers attack, I will try your way but keep basement too, water inside one time is wary bad! tnx a lot man, regards, Stevan!

[eluser]WanWizard[/eluser]
Again, you're making things to complicated.

First of all, spammers will not develop a robot for your forum unless it's so big there's money to be made. I runs some fairly big sites, and never had any spam on their forums. Second, the only thing you can do to prevent spam bots is to use something that humans can but spam bots can't do. Things like captcha's. If your forum is very popular, a captcha isn't going to stop them, since spammers now employ people to decypther captcha's, or even hire people to create an account and start spamming.

There are some other tactics you can use, like: don't allow links in the first x posts, in the first x days after creating an account, until the user received x positive feedbacks from other users, etc.

[eluser]flash_back[/eluser]
yes, you are 100% right, as you can see in VBulletin v4 you have captcha’s for every single thread

but this way, robot (if it is not smart enough), he can (if get XHTML) spam one time and there is BAN, no second chance...

we have a line that says, if you fly high you fall down big time.. but on social network side, if you dont think like you fly high you will fall down!

---

code, all working except ci_session call's, simple and fast plug in

---

in main model that load all others:

// Alfa v0.1 security
if (!$this->db_session->userdata('sigurnosni_kod')):
$this->db_session->set_userdata('sigurnosni_kod', md5('xxx'.time().'xxx'));
endif;

// form_helper.php - at the end form_open function

$obj =& get_instance();
$form .= form_hidden('sigurnosni_kod', $obj->db_session->userdata('sigurnosni_kod'));
return $form; // two lines before that

// DB_driver.php // this f... me, put this in first line of query function!

if (preg_match('/^\s*"?(SET|INSERT|UPDATE|DELETE|REPLACE|CREATE|DROP|LOAD DATA|COPY|ALTER|GRANT|REVOKE|LOCK|UNLOCK)\s+/i', $sql)):
$this->CI=& get_instance();
if ($this->CI->input->post('sigurnosni_kod')):
$sigurnosni_kod = $this->CI->input->post('sigurnosni_kod');
// if ($this->CI->load->library('db_session')): echo 'OK'; exit; else: echo 'sranje'; exit; endif;
$sigurnosni_kod_sesije = $this->CI->db_session->userdata('sigurnosni_kod');
if ($sigurnosni_kod != $sigurnosni_kod_sesije):
// this code is rejected like all POST parameters, set new one, second time and BAN user for a while!
$CI->db_session->set_userdata('sigurnosni_kod', md5('xxx'.time().'xxx'));
echo 'Sigurnosni zaštitni parametri nisu ispunjeni!'; exit;
else:
// code passed, refresh whit new one for next form
$CI->db_session->set_userdata('sigurnosni_kod', md5('xxx'.time().'xxx'));
endif;
else:
echo 'BOT, hacker, some error page, cant be user or BAN!'; exit;
endif;
endif;

---

if you can please help me, whit getting userdata call of db_session library and set_userdata too?!? this way just one time robot can enter just one time! I can make code to cache second one and ban IP or something for 1/2h! anyway, great for changing id of session / cookie too then little faster etc.. but this must go on

[eluser]flash_back[/eluser]
just to add "array" in session for page, that can be more then one security code, just to pass this session info and you will get full list, why to write all when I am stuck at this

[eluser]flash_back[/eluser]
even better, last code (except if (preg_match(’/^\s*”?(SET|IN etc..) attach to run function of validation, that way every single form will be checked! on 5 time (whatever - changing just security code when form is passed or otherwise) make change cookie/session ID and that good progress for making POST safe!