How can I prevent a malicious user from flooding my database through submission of dummy values in forms i.e. changing of values over i.e. 1000 times?
any ideas wld be greatly app.
victor
How to prevent overflooding of database through form sub.
Moderator: General Moderators
you could use cookies/sessions
yes, they can just clear thier cookies, or disable them and go hog wild still, and a frequent spammer prob is keen to this.
to take it a step further, you could keep a list of ip address and thier corresponding browser user agents, and what time they submitted a post.
check if thier ip address AND user_agent have been used to submit a post in the last 30 min or so, if it has, deny them. i would only deny them if the ip AND user_agent were used for a single post, otherwise, youll be denying some innocent users
you can still get around that, but its much more difficult and will prob discourage all but the most persistant spammers.
Code: Select all
session_start();
if (form is acceptable) {
if (empty($_SESSION['submitted_form'])) {
// add to db
$_SESSION['submitted_form'] = true;
} else {
echo 'you already submitted once';
}
}yes, they can just clear thier cookies, or disable them and go hog wild still, and a frequent spammer prob is keen to this.
to take it a step further, you could keep a list of ip address and thier corresponding browser user agents, and what time they submitted a post.
check if thier ip address AND user_agent have been used to submit a post in the last 30 min or so, if it has, deny them. i would only deny them if the ip AND user_agent were used for a single post, otherwise, youll be denying some innocent users
you can still get around that, but its much more difficult and will prob discourage all but the most persistant spammers.
2 questions:
1. I suppose I need to have 2 additional column in the DB table in order to capture the concatenated value of (user's_IP+user_agent) and time of POST? Or can I use $_SESSION['user's_IP+user_agent'] and make it last for 30 mins even if the client ended the session?
2. How can I access user's IP and user_agent, do you need special permission in accessing remote server's log? I'm hosting my web site with a remote hosting company.
1. I suppose I need to have 2 additional column in the DB table in order to capture the concatenated value of (user's_IP+user_agent) and time of POST? Or can I use $_SESSION['user's_IP+user_agent'] and make it last for 30 mins even if the client ended the session?
2. How can I access user's IP and user_agent, do you need special permission in accessing remote server's log? I'm hosting my web site with a remote hosting company.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Code: Select all
<?php
echo '<pre>';
print_r($_SERVER);
echo '</pre>';
?>you will find that most usefull on getting the users information