Page 1 of 1

Reload, repost stopper

Posted: Fri Jul 25, 2003 6:34 am
by Fredix
Hi,
I have several forms where the user may enter data (guestbook, feedback mail, ...). Now I need to add a feature to my scripts that controlls who entered how much right now. Or, in other words, allow only 2 entries and everything else from the same user is considered spam, so ignore it.

The question is HOW to build such a feature?
my ideas were make a cookie and put the number of posts in it or do the equivalent with sessions, or SOMEHOW save the user's IP SOMEWHERE for eg. 5 min. and save the number of entries, too.

what would be your ideas? do you know how others do that? what a risks/advantages/disatvantages?

thank you.

...

Posted: Fri Jul 25, 2003 12:15 pm
by kettle_drum
Yeah whenever a user submits a form save their IP in a text file or database. Then add a check before you show the form - so it only shows the form if the IP hasnt submitted in the last x number of mins.

Simple enough to do, but not very effective as the user can change their IP address using a proxy and then submit again. If you have members then you can record the member name and do the same check.

Posted: Fri Jul 25, 2003 3:10 pm
by Fredix
OK, I hope that this can stop flooding by using scripts that automatically generate entries. Do you think there is a way to use sessions for this. ( I never used sessions before so I'm not sure whether you can change the session by just editing the address)

Posted: Tue Jul 29, 2003 4:00 pm
by Fredix
I decided to do the following:
save the IPs in a database.table
when the next poster submits the script should get the recent IP and compare it with the IP of the actual poster
if it is not the same just post
if it is the same get the IP from the second recent post if it is the same again, get the IP from the third recent post if it is again the same tell the actual poster that he may post only 3 times in a row and then has to wait (until someone else makes a post)

I decided that would be better because if someone wants to spam eg. a shoutbox he would use a script that non-stop sends POST requests. If I limit the posts to a special time then the spammer would still be successul if he acts during the night as his script has a lot of time and on the other hand in a shoutbox you (may want )post several posts in a short time and don't want to wait a min.
With my solution the spammer would have to change his IP somehow which I believe is a mess so he'll give it up...


now, where I have problems is how to get the recent (second, third and no more) IPs from the database.

Posted: Fri Aug 01, 2003 5:55 am
by Fredix
if someone is interested:

Code: Select all

<?php
$query = "SELECT ip FROM gis_shoutbox ORDER BY date DESC";
 $result = mysql_query($query, $db);
 mysql_data_seek($result, "0");
 $ip = mysql_fetch_row($result);
  if ($ip[0] == $_SERVER['REMOTE_ADDR'])
  {
   mysql_data_seek($result, "1");
   $ip = mysql_fetch_row($result);
   if ($ip[0] == $_SERVER['REMOTE_ADDR'])
   {
    mysql_data_seek($result, "2");
    $ip = mysql_fetch_row($result);
    if ($ip[0] == $_SERVER['REMOTE_ADDR'])
    {
     die ("Sie haben bereits 3 posts, machen Sie eine Pause!");
    }
   }
  }

?>

Posted: Mon Aug 11, 2003 10:32 pm
by Bennettman
Shouldn't adding a LIMIT 1 to the SQL command stop reload-reposts?

Posted: Mon Aug 11, 2003 10:47 pm
by JAM
Followup on the logging ip's:
Why not ask the database each time if the text inserted is the same as the previous one, if so, abort?

Another idea, is to use javascript's onClick to disable the button once it's been clicked upon...

Posted: Tue Aug 12, 2003 5:13 am
by Fredix
@Bennettman
I didn'T know anything about a limit function. I'll have to check the mysql reference 8)

@JAM
Your first solution isn't too good because as a spammer I would randomly generate the text in a flooding script.

JS solutions are always bad as JS can be disabled and becuase a spammer would use his own script, as I said, to sent POST or GET requests

Posted: Tue Aug 12, 2003 5:41 am
by JAM
Fredix wrote: Your first solution isn't too good because as a spammer I would randomly generate the text in a flooding script.
Very true... I was thinking about 'double clickers' that perhaps isnt to very common today.
Fredix wrote: JS solutions are always bad as JS can be disabled and becuase a spammer would use his own script, as I said, to sent POST or GET requests
Also true.

Oh slap me. =)

Posted: Tue Aug 12, 2003 5:30 pm
by qartis
Yea, if you're checking the database for the same entry before submitting it, that's what prompted smappers to put "qfRe89ejF3" after email subjects - after all, "<span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>" isn't the same as "<span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>".

Now, a clever programmer would just use a sly combination of similar_text, leichenstein and check those values, because a 200 word forum post can be matched to an identical one, especially if it's only got a little garbled string at the end. However, to run leichenstein on 5,000 200-word forum posts every time someone submits the form, is kind of fanatical. Are you sure you have a problem with spam, or is this just precautionary?