Stop flooding on Feedback form
Moderator: General Moderators
Stop flooding on Feedback form
I have a feed back form that when completed and submitted is sent to a mail box. I was going to stop the frontend user from submitting more than one feed back form in a given five minutes to prevent flooding.
The way I was going to try this was by setting up an SQL DB that makes a note of the users IP address and time they submitted the feed back form. Before the PHP script excepts the data though and does the latter it first checks for any entries that are older than five minutes and purges them. After doing this it then checks the database for the users IP address. If it is there then the form is rejected and the users is told why. If when it checks for the users IP and it does not exist then the data is excepted.
Would this be the best way of doing this that is realistic? Want to avoid using cookies for this as can be easily deleted.
Many Thanks
The way I was going to try this was by setting up an SQL DB that makes a note of the users IP address and time they submitted the feed back form. Before the PHP script excepts the data though and does the latter it first checks for any entries that are older than five minutes and purges them. After doing this it then checks the database for the users IP address. If it is there then the form is rejected and the users is told why. If when it checks for the users IP and it does not exist then the data is excepted.
Would this be the best way of doing this that is realistic? Want to avoid using cookies for this as can be easily deleted.
Many Thanks
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Be careful of basing this on IP alone. IPs change. On an ISP joebloggs might have an IP but then release it after 60 mins, fredsmith may then connect to the internet and receive joebloggs old IP address. If you have blocked that address you've now prevent fredsmith from using your page, whilst joebloggs can still use it again.
Proxy servers.... some entire countries use these which makes users all appear on the same IP. The FOWARDED-FOR header is not always sent neither.
I'd use cookies myself... the other approach is to make them "register" an email address or something although I can see the inconvenience of that for a feedback form.
Proxy servers.... some entire countries use these which makes users all appear on the same IP. The FOWARDED-FOR header is not always sent neither.
I'd use cookies myself... the other approach is to make them "register" an email address or something although I can see the inconvenience of that for a feedback form.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Why not simply store a timestamp in sessions? This should be slightly more reliable than IP alone. To bypass it the user would need to disable cookies, and modify the session ID in the URL. Still, this would probably solve 90% of it.
Code: Select all
session_start();
$flood_limit = 30; // Number of seconds between posts
if ($posting)
{
$last_post = (isset($_SESSION['last_post'])) ? $_SESSION['last_post'] : 0;
$time_passed = time() - $last_post;
if ($time_passed >= $flood_limit)
{
$_SESSION['last_post'] = time();
// user is allowed to post, SQL statements here
}
else
{
// user is not allowed to post, show error
die("You must wait at least ".$flood_limit." seconds before posting another message");
}
}- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA