> Then, it is not safe to do IP-based blocking, right? Any alternative?
As I mentioned in an earlier post (my original reply to you): > If I can't trust $HTTP_REFERER, how can I deny malicious attack like > that? The best way is authentication... that is asking the user for a username and password before doing getting the data (then you can block out specific users should they attack you - but you can only do that after the incident). There are other methods - I dont know what the load on your server is generating, but Im pretty sure there will be an alternative way of doing it. eg: on request do the load-based method and dump the details into a temporary table with a timestamp of the last time it was updated. If you get the same request within x minutes (or hours / days) then serve up the generated information from the table. This would mean that your db no longer gets hammered if malitious users were to launch 5000 requests at it in the space of 10 mins, it would just do the big DB operation the once. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php