Ip block

[galdikas]

Ok I am trying to come up with a function that would check if 2 users ever logged from the same IP.

so i have table with all user logins, which as well contains all IPs.

<?php

function ip_block($_SESSION['userid'],$other_id)
{
$loggedinusersips=mysql_query("SELECT ip FROM userlogins WHERE userid='$_SESSION['userid']");

$i=0;
 if($i==0)
 {
   while($liup=mysql_fetch_assoc($loggedinusersips))
     {
       $otherusersips=mysql_query("SELECT ip FROM userlogins WHERE userid='$other_id' AND ip='{$liup['ip']}'");

	if(mysql_num_rows($otherusersips)>0)
		{
		$i++;
		}

     }
 }

  if($i==0)
  {
   $ip_block_passed=1;
   return $ip_block_passed;
  }
	else
	{
	 $ip_block_passed=0;
	 return $ip_block_passed;
	}
}
?>

 

should this do??

[Danny696]

Only way to find out will be to test it. First query has an error though, just need a ' after the $_SESSION['userid']

In all the querys the vars need a { and } around them.

In the final if statement, why not just return true; (1) or false (0)

[galdikas]

It does indeed work :)

I was just looking for someone to give feedback on the code.. especially about that database query in the while loop..

Anyone got any data about how common is it that one single user will have more then lets say 10 different IPs?

because it probably should not cayse to much lag, if there isnt many users with dynamic IPs :)

[galdikas]

In all the querys the vars need a { and } around them.

)

Ok.... I never enclose vars wit anything in querys... Well except if it is like array $something['something'].. And it works fine. Well it appears to work fine.. :) is there some security vulnerability or something I am unaware of??

In w3schools SQL tutorial (which I used to teach myself SQL) values was not enclosed in anything. But they weren't using variable but direct values///

[Karlos94]

Wouldn't something like this suffice for your needs?

// Untested..
function check_ip($id)
{
$q = mysql_query('SELECT `ip` FROM `userlogins` WHERE `ip`="'.$_SERVER['REMOTE_ADDR'].'"');

return (mysql_num_rows($q) > 1  && $_SESSION['userid'] !== $id) ? TRUE : FALSE;
}

 

The reason this function should suffice is because you are comparing one users IP to another users IP. Whereas this function is first getting ALL the IP's from the database that are similar to the current users IP, and then finally checks the amount of rows, if it is greater than 1 then return TRUE, if not, return FALSE.

Edited May 25, 2011 by Karlos94
Added explanation why it should suffice.

[galdikas]

Wouldn't something like this suffice for your needs?

// Untested..
function check_ip($id)
{
$q = mysql_query('SELECT `ip` FROM `userlogins` WHERE `ip`="'.$_SERVER['REMOTE_ADDR'].'"');

return (mysql_num_rows($q) > 1  && $_SESSION['userid'] !== $id) ? TRUE : FALSE;
}

 

The reason this function should suffice is because you are comparing one users IP to another users IP. Whereas this function is first getting ALL the IP's from the database that are similar to the current users IP, and then finally checks the amount of rows, if it is greater than 1 then return TRUE, if not, return FALSE.

 

Yeah but this block is easy to get around :) All you need to get around is to log in from new computer, and you will be able to send the other person.

And my function checks all IP's of both users. So he can even log in with proxy, if they ever logged in from same IP.. That's it, they wont get around :)

[Dominion]

So no one on your game may use any kind of public connection?

[Karlos94]

Yeah but this block is easy to get around :) All you need to get around is to log in from new computer, and you will be able to send the other person.

And my function checks all IP's of both users. So he can even log in with proxy, if they ever logged in from same IP.. That's it, they wont get around :)

Incorrect, your only checking the ip field, which is what I have done as well. My function does what you need.

[Paul Evans]

True karlos has a point his is cleaner :)

[galdikas]

So no one on your game may use any kind of public connection?

Hm.. Well yeah :) I mean you can use it,... But people will have to accept, that you cannot transfer anything between 2 accounts that ever logged in from same IP :)

If game will be succesfull, there should be plenty of other people to do business with. If it won't be succesfull there will be no game lol

[Dave]

Hm.. Well yeah :) I mean you can use it,... But people will have to accept, that you cannot transfer anything between 2 accounts that ever logged in from same IP :)

If game will be succesfull, there should be plenty of other people to do business with. If it won't be succesfull there will be no game lol

You'll have to log every single different IP the user logins on though. Could become a very large table if the game gets big. Especially with dynamic IP's. Could just place a cookie on the users browser and do it that way? Obviously this cookie can be deleted but it's better then nothing.

[galdikas]

You'll have to log every single different IP the user logins on though. Could become a very large table if the game gets big. Especially with dynamic IP's. Could just place a cookie on the users browser and do it that way? Obviously this cookie can be deleted but it's better then nothing.

I am not that good wit all the networking stuff. Is those dynamic IPs very common? Roughly what percentage of people will have them???

And to solve the big IPs table problem.. I have one Idea. it is liked bocked users table.

Basivally if someone gets caught with IP block function. They ID pair will be entered into that table. So before performing that IP check, firstly that table be check to see if that pair is already caught by IP block. IF it returns no results, then IP check will be carried out.

i am not sure if you understand what I mean... But cant think of better way to explain lol

[Karlos94]

I am not that good wit all the networking stuff. Is those dynamic IPs very common? Roughly what percentage of people will have them???

Maybe this quote could help!

Dynamic IP addressing is most common with mobile devices such as laptops and tablet PC because they are designed for mobility. Desktop PCs may also require dynamic IP address configuration if the network's IP addresses are centrally managed using DHCP.

Oh and maybe this as well.

[galdikas]

Sorry, but i don't think my english is that bad... So there is no need to send me sites like that....

I have seen people whose native language is english to spell way worse than me...!

[Paul Evans]

I'm sorry do you log every users ip when they log in?

[galdikas]

I'm sorry do you log every users ip when they log in?

Well yeah.. every time they log in, they IP gets logged :) Whys is it bad???

[InternalExpertCoding]

Im kind of jumping in here as I didn't read to much. But, From what I read, Wouldn't it be easier to...

Upon log-in, Check users IP for Multiples.

Then, Instead of logging every single IP that comes into your game,

Simply update the table to their new IP if they have one?

More so,

If my IP address is 122.888.1.2 And Then, I log in next time, my IP is then changed 122.889.2.0

and Update the table.

So, Take the User Id or Whatever you wish, and UPDATE it.

Much Simpler to me because if they are having multiple accounts, Whenever the Second person logs in, They then will have the same IP, Therefore, waste of space to auctally log and keep the IP's.

If it makes so sense, Sorry, As I said im going out on a limb here as I cannot be bothered to read the whole thing. Lol

[galdikas]

No that would not work :)

In order to get around this block all i need is to log in through proxy and do my stuff... Because it doesnt check all IPs that I have ever logged in.. only the last one :)