October 26, 2003
Tabulas Work
I spent the past two days working on a new feature for Tabulas: "blocking" or "banning" users from viewing your journal.
This is a weird feature in a sense because I've never believed in policing the communities I create, but it's become a necessity since there are some people who love to harass others using these online journaling sites.
Implementing this feature was tough: the only way of fully authenticating users (or the best way rather) is to use someone's IP address. An IP address is akin to a phone number; it "uniquely" identifies your computer's virtual location with a series of numbers. For instance, my IP address is: 152.23.203.236.
The problem here is that the IP address information is sent by the browser whenever it visits a site and can be spoofed. This means that the only real way of authenticating users is not really foolproof.
The other pure method of banning a user is using the Tabulas username; if you're logged in and your Tabulas username is listed in someone's block list, you're denied entry into the site. But this isn't really useful in itself; someone can simply log-out and then view the journal.
I was briefly throwing around the idea of sending a cookie to someone's computer if they've been added to a blocklist; this could potentially lock out non-comp savvy users so they can never access the site (as long as they keep the cookie). The only problem is that this requires me keeping a log of cookies issued and to what site they were for; what if someone removes a ban and the person who was previously banned still has the cookie?
Too much work.
You'll also notice that if you're banned, Tabulas simply returns an error message and not a blatant "you've been banned" message. I've learned that it's easier to let people think there's been a error with the system (who won't believe in computer errors this day in age) than to confront someone head-on and say 'YOU'VE BEEN BANNED.'
I find when I do the latter, it's almost an invitation for people to try to get around the banning. Very passive-aggressive of me. Darn.
Edit: Man, I'm pretty stupid. I didn't even talk about what I meant to talk about.
When I was doing this IP banning feature, a big question came up in my mind as to how to store each IP address. I *could* create a full table for it and store each IP address as an entry with a unique ID ... but this would create yet ANOTHER table in the Tabulas database (the Tabulas database has something like 60 tables, it's ridiculous). Instead I attached on two more fields onto an existing table; I store all the IP addresses and banned usernames in one field, separated by commas.
To break down the methodology: (numbers in brackets indicate step number)
[1] Select comma-separated data of banned IPs and banned usernames (two fields in one table) for selected user
[2] Throw that data into memory and explode (create a hash of all values)
[3] Use php in_array() to quickly sort through the hash to figure out if the user is banned. If so, return a "error" page.
I would of used to do it like this:
[1] Take IP address from user and run a SELECT COUNT(*) query from mySQL to see if any IP addresses matched.
[2] If so, then fail.
Although the method I use is a bit "longer" in terms of CPU, it takes a load off of the mySQL database. I can add almost unlimited number of 'front-end' PHP computers to handle the output of the site, but mySQL has poor clustering support. This means that I'll eventually have a server cluster where I have one mySQL server and tons of PHP server. In any case, the idea is to take a load off of mySQL since load-balancing with PHP will be 10x easier.
This is a weird feature in a sense because I've never believed in policing the communities I create, but it's become a necessity since there are some people who love to harass others using these online journaling sites.
Implementing this feature was tough: the only way of fully authenticating users (or the best way rather) is to use someone's IP address. An IP address is akin to a phone number; it "uniquely" identifies your computer's virtual location with a series of numbers. For instance, my IP address is: 152.23.203.236.
The problem here is that the IP address information is sent by the browser whenever it visits a site and can be spoofed. This means that the only real way of authenticating users is not really foolproof.
The other pure method of banning a user is using the Tabulas username; if you're logged in and your Tabulas username is listed in someone's block list, you're denied entry into the site. But this isn't really useful in itself; someone can simply log-out and then view the journal.
I was briefly throwing around the idea of sending a cookie to someone's computer if they've been added to a blocklist; this could potentially lock out non-comp savvy users so they can never access the site (as long as they keep the cookie). The only problem is that this requires me keeping a log of cookies issued and to what site they were for; what if someone removes a ban and the person who was previously banned still has the cookie?
Too much work.
You'll also notice that if you're banned, Tabulas simply returns an error message and not a blatant "you've been banned" message. I've learned that it's easier to let people think there's been a error with the system (who won't believe in computer errors this day in age) than to confront someone head-on and say 'YOU'VE BEEN BANNED.'
I find when I do the latter, it's almost an invitation for people to try to get around the banning. Very passive-aggressive of me. Darn.
Edit: Man, I'm pretty stupid. I didn't even talk about what I meant to talk about.
When I was doing this IP banning feature, a big question came up in my mind as to how to store each IP address. I *could* create a full table for it and store each IP address as an entry with a unique ID ... but this would create yet ANOTHER table in the Tabulas database (the Tabulas database has something like 60 tables, it's ridiculous). Instead I attached on two more fields onto an existing table; I store all the IP addresses and banned usernames in one field, separated by commas.
To break down the methodology: (numbers in brackets indicate step number)
[1] Select comma-separated data of banned IPs and banned usernames (two fields in one table) for selected user
[2] Throw that data into memory and explode (create a hash of all values)
[3] Use php in_array() to quickly sort through the hash to figure out if the user is banned. If so, return a "error" page.
I would of used to do it like this:
[1] Take IP address from user and run a SELECT COUNT(*) query from mySQL to see if any IP addresses matched.
[2] If so, then fail.
Although the method I use is a bit "longer" in terms of CPU, it takes a load off of the mySQL database. I can add almost unlimited number of 'front-end' PHP computers to handle the output of the site, but mySQL has poor clustering support. This means that I'll eventually have a server cluster where I have one mySQL server and tons of PHP server. In any case, the idea is to take a load off of mySQL since load-balancing with PHP will be 10x easier.
Comment with Facebook
Want to comment with Tabulas?. Please login.