Prevent topic injection
Moderator: General Moderators
-
scarface222
- Forum Contributor
- Posts: 354
- Joined: Thu Mar 26, 2009 8:16 pm
Prevent topic injection
I am creating somewhat of a forum and when the user goes to the create page and submits the topic, the browser will let them go back to the previous page if they click back on their browser controls.. They can then click submit and another topic that is the same is created since all the info is filled in. They could easily create 20 topics that are the same if they were malicious. Can anyone think of a practical way to prevent this function?
I tried that on this forum, apparently you can do that here too. I know if someone kept doing it, I could ban them or something, but it would make for a bad user experience for others if people were doing that.
I tried that on this forum, apparently you can do that here too. I know if someone kept doing it, I could ban them or something, but it would make for a bad user experience for others if people were doing that.
Re: Prevent topic injection
Timestamp the topics, compare the titles and if the same user submits the same topic again within say a few minutes, it says he can't do that.
You could also prevent a user from submitting another topic within a certain time frame. You could even stair step it.
1st to 2nd post, 1 minute. 2nd to 3rd, 2 minutes. 3rd to 4th, 5 minutes. And every 10 minutes thereafter. That would prevent a lot of cross posting.
You could also prevent a user from submitting another topic within a certain time frame. You could even stair step it.
1st to 2nd post, 1 minute. 2nd to 3rd, 2 minutes. 3rd to 4th, 5 minutes. And every 10 minutes thereafter. That would prevent a lot of cross posting.
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Prevent topic injection
You can query the DB for the topic and if it exists then don't insert it.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Re: Prevent topic injection
I thought of that too, but it's a bit limiting.AbraCadaver wrote:You can query the DB for the topic and if it exists then don't insert it.
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Prevent topic injection
Well it depends upon what they mean by a topic. I just reread what the OP said it is for a forum. I was thinking topic as in an article category topic like Announcements and certain articles would be under that topic. In that case you wouldn't want more than one.JakeJ wrote:I thought of that too, but it's a bit limiting.AbraCadaver wrote:You can query the DB for the topic and if it exists then don't insert it.
But for a forum I agree with you, probably a timestamp. It could be a hidden input that on post is put in a session var. Then if they hit back and post again it would fail if you check the posted var against session var and they are equal.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
scarface222
- Forum Contributor
- Posts: 354
- Joined: Thu Mar 26, 2009 8:16 pm
Re: Prevent topic injection
Yeah I agree that time-stamping would be the least limiting and probably best measure. I thought of using a captcha to insert topics, but I thought if someone wanted they could still enter topics pretty fast and clutter the topic area. With a time limit say of even 1 or 2 minutes, only someone who wants to waste a lot of time to spam would be able to and bots do not matter really because you have to be logged in to submit a topic on my site.
Thanks guys for your feedback, appreciate it the ideas (as usual appreciate feed, abra lol). PS great idea on stair stepping the time intervals jake.
Thanks guys for your feedback, appreciate it the ideas (as usual appreciate feed, abra lol). PS great idea on stair stepping the time intervals jake.
Re: Prevent topic injection
I've seen this behavior with forms. Try using a session variable, set it on the topic entry page and unset it when the user has successfully posted?
Use session variables to keep all the values in the fields so you can easily reset those values on success.
Use session variables to keep all the values in the fields so you can easily reset those values on success.
-
scarface222
- Forum Contributor
- Posts: 354
- Joined: Thu Mar 26, 2009 8:16 pm
Re: Prevent topic injection
thats a clever idea man thanks, so you cannot prevent resubmission like that right but you can at least clear the form. I am however not sure exactly how to do this. I am submitting the form to the same page, which then redirects on success. So if $test=$_POST['test'];...Would I have to submit my form using a session? Could you maybe show me in a quick example?
Re: Prevent topic injection
The above protects from resubmission by clearing all fields if the user has successfully submitted the topic, so it's not rude towards the user, in fact it's even useful.so you cannot prevent resubmission like that right but you can at least clear the form
The form will submit the session variables will be unset and if the user presses F5 he'll submit blank values, then your script will check for empty fields and tell him that he has missing fields so he'll need to refill the form from scratch.
the additional session variable at the start prevents a user from visiting a url like index.php?go=contact&form=send or submitform.php and hitting F5. Adding a referrer check could help, but referrers can be easily spoofed.
in your code section that posts the topic add:
Code: Select all
//first we see if the user came from the form page (this protects against spammy F5 submission)
if (isset($_SESSION['can_send']))
{
//keep the fields in session variables, the user might also need to restore them if the form fails to submit correctly
$_SESSION['username'] = strip_tags($_POST['username']);
//..repeat for all your fields
//check fields and post the topic here
//delete the session variables after successful submission, this will cause the values to be blank so when you check for empty fields,
// a user that will try to resubmit he'll get a warning that the field was blank based on your required fields checking
unset($_SESSION['username']);
//..repeat for all your fields
}
else
{
//tell the user he's trying to double post
echo 'You may not resubmit this topic more than one time!'; //or something like that
}Code: Select all
session_start();
$_SESSION['can_send'] = 1;Code: Select all
<input type="text" name="username" value="<?php if (isset($_SESSION['username'])){echo $_SESSION['username'];} ?>" />