|
|
sleep (PHP 3, PHP 4, PHP 5) sleep -- Delay execution Descriptionint sleep ( int seconds )
The sleep() function delays program execution for the
given number of seconds.
Пример 1. sleep() example |
<?php
echo date('h:i:s') . "\n";
sleep(10);
echo date('h:i:s') . "\n";
?>
|
This example will output (after 10 seconds)
|
See also usleep() and
set_time_limit()
Matt
01-Aug-2007 01:20
/**
* Like PHP's sleep(), but this accepts decimal values
*
* @param float $seconds
*/
function sleep2($seconds) {
usleep(floor($seconds*1000000));
}
anonymouse
15-May-2006 02:27
As I read everithing I think that it is easyest to limit new authentication requests to some number for some time. And delay new authentication attemts that are over the limit.
If you don't want user disruption, make it auth req per second per IP
arielCo
28-Feb-2006 08:38
The sleep(3) *nix manpage reads:
DESCRIPTION
sleep() makes the current process sleep until [seconds]
seconds have elapsed or a signal arrives which is not
ignored.
So, ANY incoming signal that has not been set with pcntl_signal() to SIG_IGN causes sleep() to return.
If you don't want this, maybe
<?php
time_sleep_until(microtime(true) + $secs );
?>
will work, depending on CPU load.
RETURN VALUE
Zero if the requested time has elapsed, or the number of
seconds left to sleep.
The return value is an integer, and (at least in 5.1.2) it is the round()ed remaining time.
Josh
08-Feb-2006 03:27
In regards to sleep being inconsistent, your benchmarks aren't accurate. You add overhead by bundling microtime() into your other function calls. I believe a more accurate benchmark could be obtained using this instead:
<?php
$t0 = microtime();
sleep(1);
$t1 = microtime();
?>
Granted I doubt that sleep() is accurate down to the nanosecond - the function call alone to retrieve the time will take time, and that amount of time may vary depending on the computer it is being run on, number of current processes and their priorities, etc. However, the above code will give you a more accurate representation.
-- Josh
warhog at warhog dot net
18-Dec-2005 01:24
on the note below.. that difference may also result out of the code used calculating your microtime-differences.. as your machine surely is a multi-tasking machine, this may have happened because of other processes on your machine.
justin at jennnixon dot com
23-Nov-2005 11:52
Sleep sometimes does not run for the EXACT amount of time specified.
<?php $st = array_sum (explode (' ', microtime ()));
sleep (1);
echo round ((array_sum (explode (' ',microtime ())) - $st), 7); ?>
On three trials, this returned
0.9998388
0.9999161
1.001672
25-Jul-2005 02:07
Regarding the use of sleep to discourage crackers, there is an alternative that could be used. Derived from the "HTTP Digest Access Authentication" concept at http://www.faqs.org/rfcs/rfc2617.html under chapter "3 Digest Access Authentication Scheme".
For every time the login page is requested, have the server generate and remember a nonce and attach it to the login form. When the form comes back with that nonce, check if the nonce received matches the one in memory. If yes, continue the login process, otherwise reject the login attempt. Throw away the nonce after one use.
Brute-force cracking won't be an option in this case, because the hacker/cracker must download the login page for every attempt to try a password. And this will also neatly sidestep a possible weakness via the use of "sleep" to DoS attacks.
linus at flowingcreativity dot net
08-Jul-2005 08:07
This may seem obvious, but I thought I would save someone from something that just confused me: you cannot use sleep() to sleep for fractions of a second. This:
<?php sleep(0.25) ?>
will not work as expected. The 0.25 is cast to an integer, so this is equivalent to sleep(0). To sleep for a quarter of a second, use:
<?php usleep(250000) ?>
vmadman at gmail.com
02-Jul-2005 02:43
I think you guys are over thinking this. It's always nice to code expecting the worse, but odds are, you will never have someone targetting you for exploits in your custom code.
They would rather find exploits in a nuke site so that they can do the most damage.
With that aside, an effective way to prevent brute force attacks would be to only allow a certain number of authentication attempts at once, regardless of the IP.
15 would be a safe number, and sleep(10). Brute force attacks can only be successful under two conditions, 1) be able to process insanely fast, or 2) get really lucky and find an easy password.
When an authentication request starts, write a row to a mySQL table and delete it when you're done. Also mysql_num_rows when you start the request.
Deny immediately if num_rows returns greater than 15, sleep 10 seconds if num_rows exceeds 10, and sleep 5 seconds no matter what.
This progressive security approach would not only be effective, but would baffle the cracker. (he cannot see your code and would not know what is going on)
But do not let anyone tell you any different. If he decides to DoS you (ane he has the resources to pull it off).. there is nothing you can do to stop it outside of notifying your ISP.
-Luke
Breeze at Hotmail dot com
04-Jun-2005 12:51
I would consider adding
a random sleep (2 to 5 sec),
before checking the login-information,
and an IP-based ban-list,
making multithreaded attacks useless,
to be a good protection.
"[...] Fill[ing] the wire with datagrams [...]" may slow down, but won't block your server.
If a "very bad hacker" (tm) has the possibility to use hundreds of machines to attack your server he will surely bring down your system insignificantly if you're using a sleep() or not.
mit freundlichen Gr
|
|
show_source
add a note
User Contributed Notes