tags:

views:

154

answers:

3
+1  Q: 

Quick and easy flood protection?

I have a site where a user submits a message using AJAX to a file called like.php. In this file the users message is submitted to a database and it then sends a link back to the user. In my Javascript code I disabled the text box the user types into when they submit the AJAX request.

The only problem is, a malicious user can just constantly send POST requests to like.php and flood my database. So I would like to implement simple flood protection.

I don't really want the hassle of another database table logging users IPs and such... as if they are flooding my site there will be a lot of database read/writes slowing it down. I thought about using sessions, like have a session that contains a timestamp that gets checked every time they send data to like.php, and if the current time is before the timestamp let them add data to the database, otherwise send out an error and block them. If they are allowed to enter something into the database, update their session with a new timestamp.

What do you think? Would this be the best way to go about it or are there easier alternatives?

Thanks for any help. :)

A: 

I thought about using sessions, like have a session that contains a timestamp that gets checked every time they send data to like.php

This won't stop bots as they can receive and send the same cookies that users do.

You should really have users logging into such a system. Seems to be worth protecting access. You could also consider limiting posts per minute per ip but multiple bots could still send many spam messages.

If you don't want to implement a login then many sites use captcha to try and cut down on such attempts.

http://www.phpcaptcha.org/

webbiedave  2010-06-11 22:32:12
Thanks. I really don't like the idea of a user system or a CAPTCHA as the main goal of the site is meant to be quick and fast to send a message. Looks like i'll have to go with the IP address logging after all.
VIVA LA NWO  2010-06-11 22:33:32
+3  A: 

Use a token. You generate the token and add it to the page originating the request. In like.php you verify that the request contains a valid token, which means it comes from your page instead of an external one POSTing directly.

kemp  2010-06-11 22:42:07
Then, most importantly, you invalidate the token once it's been used. Attaching the token to the session also adds another layer of anti-bot code. (Primitive bots won't do cookies.) Now, advanced bots will still work, but it'd be more work for the bot author.
Charles  2010-06-11 23:47:29
This is actually perfect. But how will I generate the token? Just a hash from a random number or something? And also how will `like.php` know what token is valid or not? Should I sent it though a SESSION? :) Cheers!
VIVA LA NWO  2010-06-13 01:57:11
+1  A: 

Session is the easiest to do this, and has the least overhead as well. You can store two bits of data in the session, timestamp of last post, and the ip the post is comming from. Here is how you check legitimacy then:

session_start()
if(isset($_SESSION['ip']) && $_SESSION['last_post'] + MININTERVAL < time()) die('too early');

$_SESSION['last_post'] = time();
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
// store the message
Majid  2010-06-11 23:23:05

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases