Slow response of a Php+MySql application -


i running chatroom (phpfreechat) mysql+php. have dedicated server run script can consume lots of resources. works fine 100 concurrent users. however, user threaten kill chatroom , doing :(

there 40 users , chatroom dead. takes 10-20 seconds deliver 1 message. mysql eating 300% plus cpu. however, 100 users (when it's not under attack), chatroom uses 200-300% cpu. checked following things make sure not dosing/ddosing our server. 

1 - limited 3 requests per seconds. 2 - analyzed access.log see weird activity or crlf slow attacks. there none. 3 - looked per ip connections using netstat command , none has lots of connections.  4 - disabled ping of death

static website on server works fine under attack. assuming exploiting mysql via chatroom sending many requests. ran following query see current connections mysql:

show status `variable_name` = 'threads_connected'

the result 7 looks pretty normal. there other step can perform block attack , protect server (chatroom)?

(from last comment) ahh, means attacker trying queries using mysql injection, first have

1) sanitize inputs

if using pdo or mysqli use bind params (prepared statements) feature filter inputs

or @ least mysqliescapestring inputs

and if php page takes value .../page.php?id=10 check value & make sure integer below

if(is_numeric($_get['id'])){ //do operations...}else { //suspicious input given exit}

2) limit query execution time

as having long running queries (which hacker), limit query execution time , use statement timeouts, wait_timeout features query have limited execution time

and said earlier in apache access log you'll find these sleep queries parameters so, find , block ip


Comments

Post a Comment

Popular posts from this blog

c# - Validate object ID from GET to POST -

i have method allows user access comment have made on site. have post method lets them update comment. my normal solution send entire comment model through, let them update it, update on database when post back. involve sending commentid through in hiddenfor , can manipulated. how can verify commentid sent in get method same i'm getting in post , not able alter comment wish? how can verify commentid sent in method same i'm getting in post? basically have validate following things in post - user logged-in user. authenticated users post comments. commentid in post , should valid commentid , should present in database. userid associated logged-in user should same userid associated comment . comment should contain userid column, can check @ time of update. to make sure update happens comment has been sent in get - hold commentid in session , in post action compare commentid value in session .
Read more

node.js - Custom Model Validator SailsJS -

when using custom model validator checks record within model. return within spread doesn't seem end control flow. //post.js model /** * custom validator **/ types: { isuservalid: function(user_id) { var promise = require('bluebird'); promise.all([ user.findone({id: user_id}) ]) .spread(function(user) { console.log(user); if (user === null || user === undefined) { console.log('failed'); return false; }else{ console.log('passed'); return true; } }); } }, my response standard validation failed response. { "error": "e_validation", "status": 400, "summary": "1 attribute invalid", "model": "post", "invalidattributes": { "owner": [ { "rule": "isuservalid", ...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more