Getting URL arguments

Mark Jensen · Mark Jensen

I'm trying to read the arguments of the URL for the document. I'm new
to PHP and can't figure it out. I've played around with $_SERVER but
the closest I can get is the QUERY_STRING which doesn't include
arguments.

Essentially I'm configuring nuke, and want to block a user after two
failed login attempts. I'm not sure of the most elegant way to do
this. What I was thinking was to watch the URL. At first it is
?module.php=Your_Account, then after one failed attempt it is
?module.php=Your_Account&stop=1. I was going to read that and add a
count, like '&try=2' so the code could follow attempts and block the
user after n attempts.

I really don't like how I'm doing this, but I'm not sure the best way.

Any suggestions welcomed,

Mark

eclipsboi · eclipsboi

You might want to try $_GET and/or $_POST for queries. This easily
allows your to easily play with any and all values passed to PHP from
the user's web browser. As for checking how many times a user has
failed at logging in, you may not want to depend solely on a GET value
passed from the Earl. This would allow anybody to manipulate your
system, possibly opening yourself up to attack, because they could
just change stop and continue trying to log in.

eGroupWare--a PHP software package for online enterprise
collaboration--uses a method where they log all login attempts to
their MySQL database. When a user logs in, it queries the login table
and pools all the logins for that given user (based on username I
believe and login times), and if the user has tried too many times
based on that query, then it won't let that user login for however
many minutes set up for blocking. Granted, their system is not perfect
(as they offer no way to unblock someone manually), but maybe it could
give you an idea of how you want to handle your situation.

On Sat, 03 Jul 2004 02:27:13 GMT, Mark Jensen <a@a.a> wrote:

>I'm trying to read the arguments of the URL for the document. I'm new
>to PHP and can't figure it out. I've played around with $_SERVER but
>the closest I can get is the QUERY_STRING which doesn't include
>arguments.
>
>Essentially I'm configuring nuke, and want to block a user after two
>failed login attempts. I'm not sure of the most elegant way to do
>this. What I was thinking was to watch the URL. At first it is
>?module.php=Your_Account, then after one failed attempt it is
>?module.php=Your_Account&stop=1. I was going to read that and add a
>count, like '&try=2' so the code could follow attempts and block the
>user after n attempts.
>
>I really don't like how I'm doing this, but I'm not sure the best way.
>
>Any suggestions welcomed,
>
>Mark

Mark Jensen · Mark Jensen

On Sat, 03 Jul 2004 02:40:39 GMT, eclipsboi <eclipsboi@hotmail.com>
wrote:

>You might want to try $_GET and/or $_POST for queries. This easily
>allows your to easily play with any and all values passed to PHP from
>the user's web browser. As for checking how many times a user has
>failed at logging in, you may not want to depend solely on a GET value
>passed from the Earl. This would allow anybody to manipulate your
>system, possibly opening yourself up to attack, because they could
>just change stop and continue trying to log in.
>
>eGroupWare--a PHP software package for online enterprise
>collaboration--uses a method where they log all login attempts to
>their MySQL database. When a user logs in, it queries the login table
>and pools all the logins for that given user (based on username I
>believe and login times), and if the user has tried too many times
>based on that query, then it won't let that user login for however
>many minutes set up for blocking. Granted, their system is not perfect
>(as they offer no way to unblock someone manually), but maybe it could
>give you an idea of how you want to handle your situation.
>
>On Sat, 03 Jul 2004 02:27:13 GMT, Mark Jensen <a@a.a> wrote:
>

>>I'm trying to read the arguments of the URL for the document. I'm new
>>to PHP and can't figure it out. I've played around with $_SERVER but
>>the closest I can get is the QUERY_STRING which doesn't include
>>arguments.
>>
>>Essentially I'm configuring nuke, and want to block a user after two
>>failed login attempts. I'm not sure of the most elegant way to do
>>this. What I was thinking was to watch the URL. At first it is
>>?module.php=Your_Account, then after one failed attempt it is
>>?module.php=Your_Account&stop=1. I was going to read that and add a
>>count, like '&try=2' so the code could follow attempts and block the
>>user after n attempts.
>>
>>I really don't like how I'm doing this, but I'm not sure the best way.
>>
>>Any suggestions welcomed,
>>
>>Mark

Yeah, I was thinking about using the DB or cookies. The site does not
have to be secure, but the client thinks so. It really doesn't
matter, so I'm trying to do it as quickly as possible. Well, I gotta
jump in to creating sql querying transactions next, so I might as well
go that route.

Thanks!

Sebastiaan Lauwers · Sebastiaan Lauwers

Mark Jensen wrote:

> I'm trying to read the arguments of the URL for the document. I'm new
> to PHP and can't figure it out. I've played around with $_SERVER but
> the closest I can get is the QUERY_STRING which doesn't include
> arguments.

the values that are passed through an URL are called GET, they are put
in an array which you can access with $_GET['var']

so if you use [url]http://sub.isp.com/dir/file.php?var=1[/url]

you'll want to get the value of $var and to do so use:

<?php
$var = $_GET['var']; //alternatively you can also directly use
//$_GET['var'] but it's just cleaner this way (imo)
?>

>
> Essentially I'm configuring nuke, and want to block a user after two
> failed login attempts. I'm not sure of the most elegant way to do
> this. What I was thinking was to watch the URL. At first it is
> ?module.php=Your_Account, then after one failed attempt it is
> ?module.php=Your_Account&stop=1. I was going to read that and add a
> count, like '&try=2' so the code could follow attempts and block the
> user after n attempts.

What will you do if the user changes the url? He'll keep bruteforcing
the login without problems...

>
> I really don't like how I'm doing this, but I'm not sure the best way.

You could use sessions instead. The user hasn't got access to those vars.

<?php
session_start();
if (isset ($_SESSION['attempts'])) {

$attempts = $_SESSION['attempts'];
if ($attempts >= "2") {

echo 'Sorry, but you're not allowed anymore';

}
else {

echo 'Login Form:'; //here goes your login form

}
}
else {

echo 'Login Form:'; //here goes your login form

}
if ("LOGIN_FAILED") //well you get the idea, if the logins fails...

if (isset ($_SESSION['attempts'])) {

$attempts = $_SESSION['attempts'];
$_SESSION['attempts'] = $attempts + 1;

}
else {

$_SESSION['attempts'] = 1;

}
}
?>

Yeah well, i'm sure there are some errors, it's only a main idea.

>
> Any suggestions welcomed,

Hope this fits as a suggestion you wanted,

>
> Mark

Best regards,
Sebastian

--
The most likely way for the world to be destroyed,
most experts agree, is by accident.
That's where we come in; we're computer professionals.
We cause accidents.
--Nathaniel Borenstein

Getting URL arguments

Thread Tools

Display

Getting URL arguments

Similar Questions and Discussions

JVM Arguments

using 'do' with arguments

[PHP] Function arguments

showDialogModal and arguments

exec for EXE with arguments

Re: Getting URL arguments

Re: Getting URL arguments

Re: Getting URL arguments

Posting Permissions