Reload, repost stopper
Moderator: General Moderators
- Fredix
- Forum Contributor
- Posts: 101
- Joined: Fri Jul 18, 2003 2:16 pm
- Location: Wehr (Eifel) Germany
- Contact:
Reload, repost stopper
Hi,
I have several forms where the user may enter data (guestbook, feedback mail, ...). Now I need to add a feature to my scripts that controlls who entered how much right now. Or, in other words, allow only 2 entries and everything else from the same user is considered spam, so ignore it.
The question is HOW to build such a feature?
my ideas were make a cookie and put the number of posts in it or do the equivalent with sessions, or SOMEHOW save the user's IP SOMEWHERE for eg. 5 min. and save the number of entries, too.
what would be your ideas? do you know how others do that? what a risks/advantages/disatvantages?
thank you.
I have several forms where the user may enter data (guestbook, feedback mail, ...). Now I need to add a feature to my scripts that controlls who entered how much right now. Or, in other words, allow only 2 entries and everything else from the same user is considered spam, so ignore it.
The question is HOW to build such a feature?
my ideas were make a cookie and put the number of posts in it or do the equivalent with sessions, or SOMEHOW save the user's IP SOMEWHERE for eg. 5 min. and save the number of entries, too.
what would be your ideas? do you know how others do that? what a risks/advantages/disatvantages?
thank you.
-
kettle_drum
- DevNet Resident
- Posts: 1150
- Joined: Sun Jul 20, 2003 9:25 pm
- Location: West Yorkshire, England
...
Yeah whenever a user submits a form save their IP in a text file or database. Then add a check before you show the form - so it only shows the form if the IP hasnt submitted in the last x number of mins.
Simple enough to do, but not very effective as the user can change their IP address using a proxy and then submit again. If you have members then you can record the member name and do the same check.
Simple enough to do, but not very effective as the user can change their IP address using a proxy and then submit again. If you have members then you can record the member name and do the same check.
- Fredix
- Forum Contributor
- Posts: 101
- Joined: Fri Jul 18, 2003 2:16 pm
- Location: Wehr (Eifel) Germany
- Contact:
I decided to do the following:
save the IPs in a database.table
when the next poster submits the script should get the recent IP and compare it with the IP of the actual poster
if it is not the same just post
if it is the same get the IP from the second recent post if it is the same again, get the IP from the third recent post if it is again the same tell the actual poster that he may post only 3 times in a row and then has to wait (until someone else makes a post)
I decided that would be better because if someone wants to spam eg. a shoutbox he would use a script that non-stop sends POST requests. If I limit the posts to a special time then the spammer would still be successul if he acts during the night as his script has a lot of time and on the other hand in a shoutbox you (may want )post several posts in a short time and don't want to wait a min.
With my solution the spammer would have to change his IP somehow which I believe is a mess so he'll give it up...
now, where I have problems is how to get the recent (second, third and no more) IPs from the database.
save the IPs in a database.table
when the next poster submits the script should get the recent IP and compare it with the IP of the actual poster
if it is not the same just post
if it is the same get the IP from the second recent post if it is the same again, get the IP from the third recent post if it is again the same tell the actual poster that he may post only 3 times in a row and then has to wait (until someone else makes a post)
I decided that would be better because if someone wants to spam eg. a shoutbox he would use a script that non-stop sends POST requests. If I limit the posts to a special time then the spammer would still be successul if he acts during the night as his script has a lot of time and on the other hand in a shoutbox you (may want )post several posts in a short time and don't want to wait a min.
With my solution the spammer would have to change his IP somehow which I believe is a mess so he'll give it up...
now, where I have problems is how to get the recent (second, third and no more) IPs from the database.
- Fredix
- Forum Contributor
- Posts: 101
- Joined: Fri Jul 18, 2003 2:16 pm
- Location: Wehr (Eifel) Germany
- Contact:
if someone is interested:
Code: Select all
<?php
$query = "SELECT ip FROM gis_shoutbox ORDER BY date DESC";
$result = mysql_query($query, $db);
mysql_data_seek($result, "0");
$ip = mysql_fetch_row($result);
if ($ip[0] == $_SERVER['REMOTE_ADDR'])
{
mysql_data_seek($result, "1");
$ip = mysql_fetch_row($result);
if ($ip[0] == $_SERVER['REMOTE_ADDR'])
{
mysql_data_seek($result, "2");
$ip = mysql_fetch_row($result);
if ($ip[0] == $_SERVER['REMOTE_ADDR'])
{
die ("Sie haben bereits 3 posts, machen Sie eine Pause!");
}
}
}
?>-
Bennettman
- Forum Contributor
- Posts: 130
- Joined: Sat Jun 15, 2002 3:58 pm
- Fredix
- Forum Contributor
- Posts: 101
- Joined: Fri Jul 18, 2003 2:16 pm
- Location: Wehr (Eifel) Germany
- Contact:
@Bennettman
I didn'T know anything about a limit function. I'll have to check the mysql reference
@JAM
Your first solution isn't too good because as a spammer I would randomly generate the text in a flooding script.
JS solutions are always bad as JS can be disabled and becuase a spammer would use his own script, as I said, to sent POST or GET requests
I didn'T know anything about a limit function. I'll have to check the mysql reference
@JAM
Your first solution isn't too good because as a spammer I would randomly generate the text in a flooding script.
JS solutions are always bad as JS can be disabled and becuase a spammer would use his own script, as I said, to sent POST or GET requests
Very true... I was thinking about 'double clickers' that perhaps isnt to very common today.Fredix wrote: Your first solution isn't too good because as a spammer I would randomly generate the text in a flooding script.
Also true.Fredix wrote: JS solutions are always bad as JS can be disabled and becuase a spammer would use his own script, as I said, to sent POST or GET requests
Oh slap me. =)
Yea, if you're checking the database for the same entry before submitting it, that's what prompted smappers to put "qfRe89ejF3" after email subjects - after all, "<span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>" isn't the same as "<span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>".
Now, a clever programmer would just use a sly combination of similar_text, leichenstein and check those values, because a 200 word forum post can be matched to an identical one, especially if it's only got a little garbled string at the end. However, to run leichenstein on 5,000 200-word forum posts every time someone submits the form, is kind of fanatical. Are you sure you have a problem with spam, or is this just precautionary?
Now, a clever programmer would just use a sly combination of similar_text, leichenstein and check those values, because a 200 word forum post can be matched to an identical one, especially if it's only got a little garbled string at the end. However, to run leichenstein on 5,000 200-word forum posts every time someone submits the form, is kind of fanatical. Are you sure you have a problem with spam, or is this just precautionary?