Implementation process and details of PHP registration anti-brush attack

Implementation process and details of PHP registration anti-brushing attack

First of all, in order to protect our website from malicious registration and data brushing attacks, we need to take some defenses measure. This article will introduce the implementation process and details of PHP registration anti-brushing attacks, and provide some code examples.

1. Verification code verification

Verification code is a common method to prevent robot registration. On the registration page, we can add a verification code input box and generate a random verification code image. Users need to correctly enter the verification code when registering to pass verification.

In PHP, we can use the GD library to generate verification code images. The following is a simple code example:

<?php
session_start();

// 生成验证码
function generateCaptcha() {
    $image = imagecreatetruecolor(100, 40);
    $bgColor = imagecolorallocate($image, 255, 255, 255);
    $textColor = imagecolorallocate($image, 0, 0, 0);
    
    imagefilledrectangle($image, 0, 0, 100, 40, $bgColor);
    
    $captcha = '';
    $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    for ($i = 0; $i < 6; $i++) {
        $captcha .= $characters[rand(0, strlen($characters) - 1)];
    }
    
    $_SESSION['captcha'] = $captcha;
    
    imagettftext($image, 20, 0, 10, 30, $textColor, 'arial.ttf', $captcha);
    
    header('Content-type: image/png');
    imagepng($image);
    imagedestroy($image);
}

// 输出验证码图片
generateCaptcha();
?>

In the registration page, we can use <img src="captcha.php" alt="Captcha"> to display the verification code Picture, where captcha.php is the file name where the above code is located.

When submitting the registration form, we need to verify the verification code. Here is a simple code example:

<?php
session_start();

if (isset($_POST['captcha'])) {
    $captcha = $_POST['captcha'];
    if (strtolower($captcha) === strtolower($_SESSION['captcha'])) {
        // 验证码正确，执行注册逻辑
        // ...
    } else {
        // 验证码错误，给出错误提示
        // ...
    }
}
?>

2. IP Address Restrictions

Another way to prevent registration data brushing is to limit the same IP address to only Register a certain number of accounts.

Add a register_time field and a register_ip field to the user table of the database, indicating the registration time and registration IP address respectively.

In the registration logic, we can add the following code:

<?php
$ip = $_SERVER['REMOTE_ADDR'];
$timeLimit = time() - 24 * 60 * 60; // 限制为24小时内只能注册一个账号
$maxRegistration = 5; // 限制为每天只能注册5个账号

// 查询同一IP地址在一段时间内注册的账号数量
$sql = "SELECT COUNT(*) FROM users WHERE register_ip = ? AND register_time > ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$ip, $timeLimit]);
$count = $stmt->fetchColumn();

if ($count >= $maxRegistration) {
    // 超出限制，给出错误提示
    // ...
} else {
    // 执行注册逻辑
    // ...
}
?>

By limiting the number of accounts registered with the same IP address, we can effectively prevent data brushing attacks.

3. Email verification

In addition, we can also send a verification email to the email address provided by the user during registration, and require the user to click on the verification link to complete account activation.

In the registration logic, we can add the following code:

<?php
// 生成一个随机的激活码
$activationCode = md5(uniqid(rand(), true));

// 将激活码保存到数据库的用户表中
$sql = "UPDATE users SET activation_code = ? WHERE email = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$activationCode, $email]);

// 发送验证邮件
$to = $email;
$subject = '账号激活';
$message = "请点击以下链接激活您的账号：

";
$message .= "http://example.com/activate.php?code=" . urlencode($activationCode);
$headers = 'From: webmaster@example.com' . "
" . 'Reply-To: webmaster@example.com' . "
";
mail($to, $subject, $message, $headers);
?>

In the activation page, we can query the corresponding account based on the activation code and update the account status to activated. The following is a simple code example:

<?php
$code = $_GET['code'];

// 根据激活码查询对应的账号
$sql = "SELECT * FROM users WHERE activation_code = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$code]);
$user = $stmt->fetch();

if ($user) {
    // 更新账号状态为已激活
    $sql = "UPDATE users SET status = 'activated' WHERE id = ?";
    $stmt = $pdo->prepare($sql);
    $stmt->execute([$user['id']]);
} else {
    // 激活码无效，给出错误提示
    // ...
}
?>

Through email verification, we can ensure that the email address provided by the user is valid, and that the account activation process is actively triggered by the user, thereby preventing malicious registration behavior .

Summary

PHP registration anti-brush attack is one of the important means to protect website security. Through methods such as verification code verification, IP address restrictions, and email verification, we can effectively prevent robot registration and data brushing attacks. When implementing, we need to choose appropriate defense measures based on the specific situation and follow best practices for secure coding.

The code examples provided above are only for demonstration purposes, and more details and security issues need to be considered in actual applications. During the development process, it is recommended to use safe PHP frameworks, such as Laravel or Symfony, to simplify development and provide some basic security protection measures.

The above is the detailed content of Implementation process and details of PHP registration anti-brush attack. For more information, please follow other related articles on the PHP Chinese website!