[Sussex] Signing up to the Moot next week.

Gareth Ablett Gareth.Ablett at itpserve.co.uk
Mon Oct 25 08:49:44 UTC 2004 

Steve,

I know you wont read this till you get back but hey not going to stop me
sending it.

Ok just to let you know it wasn't me although I did point out the
possible problem that this form had when we went to the linuxexpo, tbh I
feel the script is some what open to attack, as I've learnt with forms
like this online it is well worth using a few bits of security. 

1. Log the IP of who posted don't let the same person submit and name or
activate more then say twice in 5 additions/activations.

2. Log all IP's in the database that way you will have an easier method
of removing them in one query.

3. Add a confirm page this prevents automation in a lot of cases and
slows down would be pranksters.


Just my pennies worth feel free to implement any of none of these ideas.


Gareth Ablett
Systems Developer

ITP Services Ltd.
http://www.itpserve.co.uk/

------------------------------------------------------------------------
The recipient acknowledges that ITP Services Ltd is unable to control
the content of information in transmitting mail and attachments over the
Internet. ITP Services Ltd makes no warranty as to the quality,
accuracy and content of information contained in or with this message.
In
reading, opening or receiving this e-mail the recipient accepts full
responsibility for its content and attachments. 

> -----Original Message-----
> From: Steve Dobson [mailto:steve at dobson.org]
> Sent: 22 October 2004 11:42 pm
> To: Sussex Linux User Group
> Subject: [Sussex] Signing up to the Moot next week.
> 
> Guys
> 
> It appears that some one signed up everyone on the list.  I don't know
> why, maybe they were just being "helpful" so that everyone who be on
> the list.
> 
> Luckly the database table holds more information than just the
> names of people attending and I can tell (and so can you if
> you look below) that the names were signed up within a few seconds
> of each other.  I know that it wasn't a new atendee that did this
> is the only new name on the list is Antoine's, and he signed up
> well before 22:00hrs.
> 
> I have reset the database so that anyone signed up after 22:00 hrs
> is now removed (except John Davis as he has signed on again just
> after I updated the database.)
> 
> If the "prankster" persisses then I will modify the code so that it
> is not possible for him to do this.  The new procedure will require
> everyone to "log on", and only know people will be able to sign other
> members up (just like everyone can now).
> 
> When I designed the form I knew that someone could do this, but didn't
> think that they would pose a big problem.  It only takes a few seconds
> for me to change the database back by hand.  I designed the form in
> such a way that from the web page you can only sign up - so no one
> would be removed how didn't want to.
> 
> The database table now looks like this.  So if you when to the page
and
> found that you had already been signed up and now name now has a
> 'N' by it then you will need to sign up again - sorry.
> 
>
+-------------------+--------+---------------------+--------------------
-+
> | name              | attend | signedup            | created
|
>
+-------------------+--------+---------------------+--------------------
-+
> | Steve Dobson      | Y      | 2004-10-22 15:31:35 | 2004-08-01
17:07:52 |
> | Gareth Ablett     | Y      | 2004-10-22 15:51:34 | 2004-08-01
17:20:50 |
> | Antoine JOSSERAND | Y      | 2004-10-22 17:36:39 | 2004-10-22
17:36:39 |
> | Paul Baines       | N      | 2004-10-22 22:08:23 | 2004-09-25
09:42:01 |
> | Al Bennett        | N      | 2004-10-22 22:09:15 | 2004-08-21
19:48:28 |
> | Andrew Guard      | N      | 2004-10-22 22:09:17 | 2004-09-25
20:25:07 |
> | Angelo Servini    | N      | 2004-10-22 22:09:19 | 2004-08-20
15:47:27 |
> | David Chapman     | N      | 2004-10-22 22:09:21 | 2004-08-20
09:19:07 |
> | Derek Harding     | N      | 2004-10-22 22:09:22 | 2004-08-23
07:34:50 |
> | Gavin Stevens     | N      | 2004-10-22 22:09:29 | 2004-09-24
23:38:29 |
> | George Hibberd    | N      | 2004-10-22 22:09:34 | 2004-09-24
15:53:42 |
> | Mark Harrison     | N      | 2004-10-22 22:09:37 | 2004-08-20
11:11:49 |
> | John Gregory      | N      | 2004-10-22 22:09:44 | 2004-09-28
15:08:44 |
> | Jon Fautley       | N      | 2004-10-22 22:09:50 | 2004-08-01
17:07:52 |
> | Karl Jorgensen    | N      | 2004-10-22 22:09:54 | 2004-09-24
16:59:51 |
> | Matt Brown        | N      | 2004-10-22 22:10:12 | 2004-09-24
15:53:35 |
> | Nik Butler        | N      | 2004-10-22 22:10:16 | 2004-08-01
17:07:52 |
> | Paul Morris       | N      | 2004-10-22 22:10:20 | 2004-08-01
17:07:52 |
> | Peter Tyrrell     | N      | 2004-10-22 22:10:24 | 2004-09-30
10:39:45 |
> | Steve Williams    | N      | 2004-10-22 22:10:28 | 2004-08-23
22:18:42 |
> | Trevor Marshall   | N      | 2004-10-22 22:10:35 | 2004-09-29
18:30:24 |
> | John Davis        | Y      | 2004-10-22 23:12:20 | 2004-09-26
11:02:11 |
>
+-------------------+--------+---------------------+--------------------
-+
> 
> Steve
> 
> _______________________________________________
> Sussex mailing list
> Sussex at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/sussex

More information about the Sussex mailing list