Page 1 of 1

Stop flooding on Feedback form

Posted: Fri Jul 14, 2006 9:02 pm
by phppage
I have a feed back form that when completed and submitted is sent to a mail box. I was going to stop the frontend user from submitting more than one feed back form in a given five minutes to prevent flooding.

The way I was going to try this was by setting up an SQL DB that makes a note of the users IP address and time they submitted the feed back form. Before the PHP script excepts the data though and does the latter it first checks for any entries that are older than five minutes and purges them. After doing this it then checks the database for the users IP address. If it is there then the form is rejected and the users is told why. If when it checks for the users IP and it does not exist then the data is excepted.

Would this be the best way of doing this that is realistic? Want to avoid using cookies for this as can be easily deleted.

Many Thanks

Posted: Fri Jul 14, 2006 10:07 pm
by feyd
Your security measures are avoidable by malicious abusers, but it would slow the lesser ones.. for a time.

Posted: Sat Jul 15, 2006 2:58 am
by Chris Corbyn
Be careful of basing this on IP alone. IPs change. On an ISP joebloggs might have an IP but then release it after 60 mins, fredsmith may then connect to the internet and receive joebloggs old IP address. If you have blocked that address you've now prevent fredsmith from using your page, whilst joebloggs can still use it again.

Proxy servers.... some entire countries use these which makes users all appear on the same IP. The FOWARDED-FOR header is not always sent neither.

I'd use cookies myself... the other approach is to make them "register" an email address or something although I can see the inconvenience of that for a feedback form.

Posted: Sat Jul 15, 2006 3:07 am
by RobertGonzalez
I'll tell you right now, proxy servers might pork your system. I am on a proxy at work and our IP's shuffle about every 20 minutes. I know you said five, but if they can shuffle every 20 they can shuffle every 4.

Posted: Sat Jul 15, 2006 9:13 am
by phppage
Some great pointers there, cheers folks. Have not published this site yet so will have to see how it goes when I do. If I get such attacks then I might implement it then. But I guess I am better avoiding it.

Posted: Sat Jul 15, 2006 12:14 pm
by Ambush Commander
I would recommend queueing the messages in a database, and sending them all out on say a 6-hour basis together in one email. Even if you do get flooded, it's not as bad (you could even have it detect floods when there are x many reponses).

Posted: Mon Jul 17, 2006 1:13 pm
by Ward
Why not simply store a timestamp in sessions? This should be slightly more reliable than IP alone. To bypass it the user would need to disable cookies, and modify the session ID in the URL. Still, this would probably solve 90% of it.

Code: Select all

session_start();
$flood_limit = 30;   // Number of seconds between posts

if ($posting)
{
     $last_post = (isset($_SESSION['last_post'])) ? $_SESSION['last_post'] : 0;
     $time_passed = time() - $last_post;
     if ($time_passed >= $flood_limit)
     {
          $_SESSION['last_post'] = time();
          // user is allowed to post, SQL statements here
     }
     else
     {
          // user is not allowed to post, show error
          die("You must wait at least ".$flood_limit." seconds before posting another message");
     }
     
}

Posted: Mon Jul 17, 2006 5:51 pm
by phppage
Cheers ward, that looks like it would be difficult to get round.

Posted: Tue Jul 18, 2006 12:37 am
by RobertGonzalez
I think that is the method used by phpBB. It works, but can lead to <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> of users if it affects edits as well as posts.

Posted: Tue Jul 18, 2006 6:04 am
by Ambush Commander
phpBB requires logins, however, so the session can be tied to a user. Anonymous emails can get around it, probably by default if they're using a bot.

Posted: Tue Jul 18, 2006 8:32 am
by RobertGonzalez
True. I should have clarified, that the flood prevention mechanism uses the same concept.