# PHP algorithm



## 3870x2 (Jan 23, 2011)

So, while I am a novice programmer in many languages, I am fairly new to PHP.

I have a replays uploading / viewing system at fortheswarm.org

Managing the security, I want to do a few things when it comes to uploading:

1. Limit number of uploads. (per day, so a bot cant upload 10,000 replays, etc...)
2. Prevent SQL tampering / injection(information is parsed from files, we want to preserve the integrity of the parsed information)

1 should be easy:
variables: userLastReplaySubmitted,

userLastReplaySubmitted (ie tossproLastReplaySubmitted = null)
generate time for last replay submitted
if userLastReplaySubmitted > 24 hours, userNumberOfReplays = 0
if userNumberOfReplays > 30 then deny upload

This will prevent more than 30 replays to be uploaded in less than 24 hours, which is about the number we are looking for.  We have currently 10 TB available to us (easily upgradeable) and the replays average 50k-150k

Would there be a better logic than this?  something that would be easier?

2 is going to be hard, and I could only think of maybe encryption of some sort, but have never messed with encryption before being written to the database.


----------



## Kreij (Jan 23, 2011)

Your questions are not really PHP specific (code implementation) and more of a design nature.

For upload limiting, you can limit based on account info or IP address or both.

For SQL injection you will want to sanitize any query to the database so that it can do no harm.
How is the database being queried exactly?


----------



## 3870x2 (Jan 23, 2011)

clear text obviously, getting and setting based on the actions of the user from the fields of the replay database, and authenticated user's database.

Only authenticated users may upload replays, and we have a system that catches a good 99% of the spam.

We want to maintain the integrity of the information of the uploaded files by methods such as changing a field between parsing a file.

IE user uploads replay, hits the upload button.  User uses program to catch the information going in to SQL and change a field, like one of the player names from the replay.

My programming experience has all been c++, java, etc....  Keep this in mind and speak very slowly to me


----------



## Kreij (Jan 23, 2011)

Sorry for taking a little while, but I had to give this some thought. 

If all of your SQL commands are being generated on-the-fly, server side, then you should only have to worry about validating and sanitizing the resultant command that gets executed against the database and not have to worry about encrypting anything.

Or am I not understanding this at all? :/


----------



## Disparia (Jan 23, 2011)

Kriej, you're working too hard, go have a beer.


PHP has PDO for sanitation (and database abstraction). A lot of hosts have it enabled.

Simple example,

```
$dbc = new PDO('mysql:host=localhost;dbname=replays', 'username', 'password');

$sql = 'INSERT INTO replay_log (timstamp, INET_ATON(ip), message) VALUES (?, ?, ?)';

$stm = $dbc->prepare($sql);

$stm->bindValue(1, time(), PDO::PARAM_INT);
$stm->bindValue(2, $_SERVER['REMOTE_HOST'], PDO:PARAM_STR);

/* Lets assume you allow them to post a comment about it.
Could contain injected code, but the method bindValue will
correctly prepare it for the database. */
$stm->bindValue(3, $_POST['comment'], PDO::PARAM_STR);

$stm->execute();
```

There will be a lot more to your page, but php.net is how I learned 90% of PHP. For the most part functions and syntax is well documented, along with examples.


----------



## caleb (Jan 24, 2011)

You could store the counter in a database and have a hourly process checking and clearing the upload counters. It's not much but I think it will be a single IF less on script that's being called client-side and it costs you "nothing" to run that kinda stuff on server side.


----------

