views:

154

answers:

3

I have a site where a user submits a message using AJAX to a file called like.php. In this file the users message is submitted to a database and it then sends a link back to the user. In my Javascript code I disabled the text box the user types into when they submit the AJAX request.

The only problem is, a malicious user can just constantly send POST requests to like.php and flood my database. So I would like to implement simple flood protection.

I don't really want the hassle of another database table logging users IPs and such... as if they are flooding my site there will be a lot of database read/writes slowing it down. I thought about using sessions, like have a session that contains a timestamp that gets checked every time they send data to like.php, and if the current time is before the timestamp let them add data to the database, otherwise send out an error and block them. If they are allowed to enter something into the database, update their session with a new timestamp.

What do you think? Would this be the best way to go about it or are there easier alternatives?

Thanks for any help. :)

A: 

I thought about using sessions, like have a session that contains a timestamp that gets checked every time they send data to like.php

This won't stop bots as they can receive and send the same cookies that users do.

You should really have users logging into such a system. Seems to be worth protecting access. You could also consider limiting posts per minute per ip but multiple bots could still send many spam messages.

If you don't want to implement a login then many sites use captcha to try and cut down on such attempts.

http://www.phpcaptcha.org/

webbiedave
Thanks. I really don't like the idea of a user system or a CAPTCHA as the main goal of the site is meant to be quick and fast to send a message. Looks like i'll have to go with the IP address logging after all.
VIVA LA NWO
+3  A: 

Use a token. You generate the token and add it to the page originating the request. In like.php you verify that the request contains a valid token, which means it comes from your page instead of an external one POSTing directly.

kemp
Then, most importantly, you invalidate the token once it's been used. Attaching the token to the session also adds another layer of anti-bot code. (Primitive bots won't do cookies.) Now, advanced bots will still work, but it'd be more work for the bot author.
Charles
This is actually perfect. But how will I generate the token? Just a hash from a random number or something? And also how will `like.php` know what token is valid or not? Should I sent it though a SESSION? :) Cheers!
VIVA LA NWO
+1  A: 

Session is the easiest to do this, and has the least overhead as well. You can store two bits of data in the session, timestamp of last post, and the ip the post is comming from. Here is how you check legitimacy then:

session_start()
if(isset($_SESSION['ip']) && $_SESSION['last_post'] + MININTERVAL < time()) die('too early');

$_SESSION['last_post'] = time();
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
// store the message
Majid