Prevent topic injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Prevent topic injection

Post by scarface222 »

I am creating somewhat of a forum and when the user goes to the create page and submits the topic, the browser will let them go back to the previous page if they click back on their browser controls.. They can then click submit and another topic that is the same is created since all the info is filled in. They could easily create 20 topics that are the same if they were malicious. Can anyone think of a practical way to prevent this function?

I tried that on this forum, apparently you can do that here too. I know if someone kept doing it, I could ban them or something, but it would make for a bad user experience for others if people were doing that.
JakeJ
Forum Regular
Posts: 675
Joined: Thu Dec 10, 2009 6:27 pm

Re: Prevent topic injection

Post by JakeJ »

Timestamp the topics, compare the titles and if the same user submits the same topic again within say a few minutes, it says he can't do that.

You could also prevent a user from submitting another topic within a certain time frame. You could even stair step it.

1st to 2nd post, 1 minute. 2nd to 3rd, 2 minutes. 3rd to 4th, 5 minutes. And every 10 minutes thereafter. That would prevent a lot of cross posting.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Prevent topic injection

Post by AbraCadaver »

You can query the DB for the topic and if it exists then don't insert it.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
JakeJ
Forum Regular
Posts: 675
Joined: Thu Dec 10, 2009 6:27 pm

Re: Prevent topic injection

Post by JakeJ »

AbraCadaver wrote:You can query the DB for the topic and if it exists then don't insert it.
I thought of that too, but it's a bit limiting.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Prevent topic injection

Post by AbraCadaver »

JakeJ wrote:
AbraCadaver wrote:You can query the DB for the topic and if it exists then don't insert it.
I thought of that too, but it's a bit limiting.
Well it depends upon what they mean by a topic. I just reread what the OP said it is for a forum. I was thinking topic as in an article category topic like Announcements and certain articles would be under that topic. In that case you wouldn't want more than one.

But for a forum I agree with you, probably a timestamp. It could be a hidden input that on post is put in a session var. Then if they hit back and post again it would fail if you check the posted var against session var and they are equal.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: Prevent topic injection

Post by scarface222 »

Yeah I agree that time-stamping would be the least limiting and probably best measure. I thought of using a captcha to insert topics, but I thought if someone wanted they could still enter topics pretty fast and clutter the topic area. With a time limit say of even 1 or 2 minutes, only someone who wants to waste a lot of time to spam would be able to and bots do not matter really because you have to be logged in to submit a topic on my site.

Thanks guys for your feedback, appreciate it the ideas (as usual appreciate feed, abra lol). PS great idea on stair stepping the time intervals jake.
User avatar
Sindarin
Forum Regular
Posts: 521
Joined: Tue Sep 25, 2007 8:36 am
Location: Greece

Re: Prevent topic injection

Post by Sindarin »

I've seen this behavior with forms. Try using a session variable, set it on the topic entry page and unset it when the user has successfully posted?
Use session variables to keep all the values in the fields so you can easily reset those values on success.
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: Prevent topic injection

Post by scarface222 »

thats a clever idea man thanks, so you cannot prevent resubmission like that right but you can at least clear the form. I am however not sure exactly how to do this. I am submitting the form to the same page, which then redirects on success. So if $test=$_POST['test'];...Would I have to submit my form using a session? Could you maybe show me in a quick example?
User avatar
Sindarin
Forum Regular
Posts: 521
Joined: Tue Sep 25, 2007 8:36 am
Location: Greece

Re: Prevent topic injection

Post by Sindarin »

so you cannot prevent resubmission like that right but you can at least clear the form
The above protects from resubmission by clearing all fields if the user has successfully submitted the topic, so it's not rude towards the user, in fact it's even useful.
The form will submit the session variables will be unset and if the user presses F5 he'll submit blank values, then your script will check for empty fields and tell him that he has missing fields so he'll need to refill the form from scratch.

the additional session variable at the start prevents a user from visiting a url like index.php?go=contact&form=send or submitform.php and hitting F5. Adding a referrer check could help, but referrers can be easily spoofed.


in your code section that posts the topic add:

Code: Select all

//first we see if the user came from the form page (this protects against spammy F5 submission)
if (isset($_SESSION['can_send']))
{
 
//keep the fields in session variables, the user might also need to restore them if the form fails to submit correctly
$_SESSION['username'] = strip_tags($_POST['username']);
//..repeat for all your fields
 
//check fields and post the topic here
 
//delete the session variables after successful submission, this will cause the values to be blank so when you check for empty fields, 
// a user that will try to resubmit he'll get a warning that the field was blank based on your required fields checking
unset($_SESSION['username']);
//..repeat for all your fields
}
else
{
//tell the user he's trying to double post
echo 'You may not resubmit this topic more than one time!'; //or something like that
}
then at your form page, add at the top:

Code: Select all

session_start();
 
$_SESSION['can_send'] = 1;
on your fields set as their values the session variable names like:

Code: Select all

<input type="text" name="username" value="<?php if (isset($_SESSION['username'])){echo $_SESSION['username'];} ?>" />
Post Reply