Reputation: 3867
Add delay or pause to MySQL query for security
I've been reading up on security measures to prevent brute force attacks. I'm specifically concerned with querying my MySQL database through PHP.
Is there a way to add a pause in the MySQL query of a few seconds, either through PHP or MySQL? This would limit the number of brute force attempts a hacker could use.
For reference, I found the idea here - http://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
Upvotes: 2
Views: 5007
Answers (4)
Reputation: 67039
If brute force is an issue use a Captcha like reCaptcha. You don't have to prompt them right away, like gmail you can wait until they build up enough "heat". You can store heat in the database and address it to $_SERVER['REMOTE_ADDR']. The use of $_SESSION would be weak because the attacker can just grab a fresh session id.
Upvotes: 0
Reputation: 27876
You can do usleep or sleep as the other said, but this is not how this security measure should be implemented. Actually these functions are useless for this model of security. What you want is to add a logic layer to the login function that will check for a given user the number of logins or some timeframe. Delaying the execution of the script makes no sense as a new request will start another php script. Check for timestamp of the last login attempt from that IP or log the number of tries and if you decide there is a risk just block the requests from that IP for the next 24 hours or so.
Upvotes: 2
Reputation: 54934
I am not aware of anything from the MySQL side, but from a PHP script, you can use the sleep or usleep functions to pause the execution of your scripts.
http://www.php.net/manual/en/function.usleep.php
Sleep will pause for the defined number of seconds.
usleep will pause for the defined number of microseconds. This gives you a much more precise level of delay, so I would use this instead.
Therefore, usleep is more appropriate, so you could do something like this.
// your php code here
// then wait for 1.1 second
usleep(1001000);
// then do your SQL stuff
I would caution the use of this though. The user experience will suffer as a result, as your pages will be slower to respond. Maybe have a function that only resorts to using delays if you see an abnormal spike in traffic, or a lot of traffic from one source.
Upvotes: 1
Reputation: 70731
You can use PHP's sleep function to do this. Of course, you only want to do this if the authentication fails.
Upvotes: 1
Related Questions
- Restrict the "sending data" time for MySQL
- Locking table for other script's queries until my php script ends
- Locking table through php
- Waiting x seconds before checking a row in mysql
- Countdown until mysql query is executed
- How do I tell PHP to wait for an SQL query only for a certain amount of time?
- MYSQL SELECT WITH PAUSE
- PHP: Skip MySql Query if it takes longer than a second
- Lock visitor until mysql query is complete
- Wait 30 seconds in order to allow a new action on PHP and MySQL?