Stop flooding on Feedback form

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
phppage
Forum Contributor
Posts: 126
Joined: Mon Apr 24, 2006 1:47 pm
Location: West Yorkshire, UK

Stop flooding on Feedback form

Post by phppage »

I have a feed back form that when completed and submitted is sent to a mail box. I was going to stop the frontend user from submitting more than one feed back form in a given five minutes to prevent flooding.

The way I was going to try this was by setting up an SQL DB that makes a note of the users IP address and time they submitted the feed back form. Before the PHP script excepts the data though and does the latter it first checks for any entries that are older than five minutes and purges them. After doing this it then checks the database for the users IP address. If it is there then the form is rejected and the users is told why. If when it checks for the users IP and it does not exist then the data is excepted.

Would this be the best way of doing this that is realistic? Want to avoid using cookies for this as can be easily deleted.

Many Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Your security measures are avoidable by malicious abusers, but it would slow the lesser ones.. for a time.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Be careful of basing this on IP alone. IPs change. On an ISP joebloggs might have an IP but then release it after 60 mins, fredsmith may then connect to the internet and receive joebloggs old IP address. If you have blocked that address you've now prevent fredsmith from using your page, whilst joebloggs can still use it again.

Proxy servers.... some entire countries use these which makes users all appear on the same IP. The FOWARDED-FOR header is not always sent neither.

I'd use cookies myself... the other approach is to make them "register" an email address or something although I can see the inconvenience of that for a feedback form.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I'll tell you right now, proxy servers might pork your system. I am on a proxy at work and our IP's shuffle about every 20 minutes. I know you said five, but if they can shuffle every 20 they can shuffle every 4.
User avatar
phppage
Forum Contributor
Posts: 126
Joined: Mon Apr 24, 2006 1:47 pm
Location: West Yorkshire, UK

Post by phppage »

Some great pointers there, cheers folks. Have not published this site yet so will have to see how it goes when I do. If I get such attacks then I might implement it then. But I guess I am better avoiding it.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I would recommend queueing the messages in a database, and sending them all out on say a 6-hour basis together in one email. Even if you do get flooded, it's not as bad (you could even have it detect floods when there are x many reponses).
Ward
Forum Commoner
Posts: 74
Joined: Thu Jul 13, 2006 10:01 am

Post by Ward »

Why not simply store a timestamp in sessions? This should be slightly more reliable than IP alone. To bypass it the user would need to disable cookies, and modify the session ID in the URL. Still, this would probably solve 90% of it.

Code: Select all

session_start();
$flood_limit = 30;   // Number of seconds between posts

if ($posting)
{
     $last_post = (isset($_SESSION['last_post'])) ? $_SESSION['last_post'] : 0;
     $time_passed = time() - $last_post;
     if ($time_passed >= $flood_limit)
     {
          $_SESSION['last_post'] = time();
          // user is allowed to post, SQL statements here
     }
     else
     {
          // user is not allowed to post, show error
          die("You must wait at least ".$flood_limit." seconds before posting another message");
     }
     
}
User avatar
phppage
Forum Contributor
Posts: 126
Joined: Mon Apr 24, 2006 1:47 pm
Location: West Yorkshire, UK

Post by phppage »

Cheers ward, that looks like it would be difficult to get round.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think that is the method used by phpBB. It works, but can lead to <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> of users if it affects edits as well as posts.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

phpBB requires logins, however, so the session can be tied to a user. Anonymous emails can get around it, probably by default if they're using a bot.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

True. I should have clarified, that the flood prevention mechanism uses the same concept.
Post Reply