Practical cases and solutions for preventing PHP registration attacks

Practical cases and solutions for PHP anti-registration attacks

Introduction:

With the rapid development of the Internet, network security problems are becoming increasingly serious. . Among them, registration anti-swiping attacks are a common attack method. Attackers use automated scripts or malicious programs to register a large number of accounts, which greatly consumes server resources and affects normal website use. This article will introduce a practical case based on PHP and provide corresponding defense solutions.

Case background:

Suppose we have a user registration function. Users need to enter user name, password, email address and other information to register. After receiving the registration information submitted by the user, the system will write the user information into the database through a PHP script.

Attackers use automated programs or scripts to send a large number of registration requests to the server at once, and register a large number of malicious accounts instantly. This attack method will cause server resources to be exhausted, normal users will be unable to register or log in, causing serious trouble to the website.

Defense plan:

1. Add verification code function

Verification code is currently one of the most commonly used means to prevent robot attacks. By adding a verification code function to the user registration page, users can be asked to enter the verification code in the picture to ensure that the user is authentic.

Code example:

<!-- 在注册页面的表单中添加验证码输入框 -->
<form action="register.php" method="post">
  <!-- 其他表单字段 -->
  <label for="captcha">验证码：</label>
  <input type="text" name="captcha" id="captcha" required>
  <img src="/static/imghwm/default1.png"  data-src="captcha.php"  class="lazy" alt="验证码">
  <!-- 其他表单字段 -->
  <button type="submit">注册</button>
</form>

<!-- 生成验证码的captcha.php文件 -->
<?php
session_start();

// 生成随机验证码
$code = substr(md5(rand()), 0, 4);

// 将验证码存入SESSION中
$_SESSION['captcha'] = $code;

// 创建一个空白图片
$image = imagecreatetruecolor(80, 40);

// 设置颜色
$bgColor = imagecolorallocate($image, 255, 255, 255);
$textColor = imagecolorallocate($image, 0, 0, 0);

// 填充背景色
imagefill($image, 0, 0, $bgColor);

// 写入验证码
imagestring($image, 5, 20, 10, $code, $textColor);

// 输出图片
header('Content-type: image/jpeg');
imagejpeg($image);

// 销毁图片
imagedestroy($image);
?>

In the above code, you first need to add a verification code input box to the form on the registration page. Users need to enter the verification code correctly to complete registration. At the same time, in order to generate a verification code image, a captcha.php file needs to be created on the server. This file generates a random verification code and stores it in the SESSION. Then, use PHP's imagecreatetruecolor() function to create a blank picture, set the background color and text color, and write the verification code into the picture. Finally, the generated verification code image is output to the browser through the header function.

2. Add IP and user restrictions

By restricting the same IP or the same user to only register once within a certain period of time, the impact of registration anti-brushing attacks can be effectively mitigated.

Code example:

<?php
session_start();

// 获取IP地址
$ip = $_SERVER['REMOTE_ADDR'];

// 获取用户ID或其他唯一标识符
$userId = isset($_SESSION['user_id']) ? $_SESSION['user_id'] : '';

// 设置时间间隔限制（单位：秒）
$timeLimit = 60;

// 检查用户是否已经在规定时间内注册过
if (checkRegistrationLimit($ip, $userId, $timeLimit)) {
  // 用户已经在规定时间内注册过，显示错误信息，禁止注册
  echo '您已经在规定时间内注册过了！';
  exit;
}

// 其他注册逻辑

// 完成注册后记录IP和用户信息
recordRegistrationInfo($ip, $userId);

// 其他后续操作

// 检查用户是否在规定时间内已经注册过
function checkRegistrationLimit($ip, $userId, $timeLimit) {
  // 在数据库或文件中记录用户注册时间
  // 判断是否在指定时间内已经注册过
  // 返回true或false
}

// 记录用户注册信息
function recordRegistrationInfo($ip, $userId) {
  // 在数据库或文件中记录用户IP和用户ID等信息
}
?>

In the above code, first obtain the user's IP address through $_SERVER['REMOTE_ADDR'], and pass $_SESSION[' user_id']Get the user's ID or other unique identifier. Set a time interval limit, such as 60 seconds. Then, check whether the user has registered within the specified time through the checkRegistrationLimit() function. If so, an error message is displayed and registration is prohibited; otherwise, other registration logic is executed, and after the registration is completed, the recordRegistrationInfo() function is used to record the user's IP and user ID and other information.

Conclusion:

By adding verification code functions, IP and user restrictions, etc., you can effectively prevent PHP registration anti-brushing attacks. In actual development, adjustments can be made according to specific circumstances and other security measures can be added to improve the security of the website.

The above is the detailed content of Practical cases and solutions for preventing PHP registration attacks. For more information, please follow other related articles on the PHP Chinese website!