Flood protection
Moderator: General Moderators
Flood protection
I have a form which send data in the db, I am using a text number as verification, also i am using a flood protection script i got on net, it logs ip and the time in db; and then works.
IP addresses are easiest to spoof using simple techniques..
Now if user presses the back button on browser the text number (captcha) remains same and can submit the form again after 10 secs. period of flooding. How to prevent??
IP addresses are easiest to spoof using simple techniques..
Now if user presses the back button on browser the text number (captcha) remains same and can submit the form again after 10 secs. period of flooding. How to prevent??
Store a timestamp in $_SESSION.
Compare timestamps with time() function on submission.
Also, to make the captcha image generate a new image, add a random string to the page that generates the image, to prevent caching.
Compare timestamps with time() function on submission.
Also, to make the captcha image generate a new image, add a random string to the page that generates the image, to prevent caching.
Code: Select all
echo '<img src="captcha.php?randomString=' . md5(microtime()) . '" alt="Captcha Image" />';Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
how will that help because by the time i compare time on the processing page it will not match.scottayy wrote:Store a timestamp in $_SESSION.
Compare timestamps with time() function on submission.
I am not clear what exactly you mean by comparing timestamp ;
should i store time in session on the form and then send it as hidden value to processing page and then compare
One more thing, if the user presses back button then what will be value in the session the CURRENT value or the value that was posted previously?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Don't compare with time()... scottayy was thinking right, but probably just ended up writing it wrong.
You have a few choices (that I'd recommend). One of them is to do as scottayy said with comparing some sort of unique id such as the timestamp with the last submitted form. Save a hidden field with the unique id of that particular submission then save them into the session. If it encounters the same unique id in the form that is in the session, it is likely a duplicate submission. Otherwise, save the new unique id into the session.
The downside of that approach is when someone wants to change the information that they entered into a form by traveling back to it via the back button and altering it. In that case, an interesting way to do it would be to actually compare the form values using the session. This would be done by imploding the $_POST array or making a foreach loop that implodes the array with both the keys and values included (to avoid glitches).
The last approach is to simply stop them from being able to use the back button to re-submit the data. This can be done with the 'Location' header by technically "replacing" the page with the posted information with a different page (or itself).
You have a few choices (that I'd recommend). One of them is to do as scottayy said with comparing some sort of unique id such as the timestamp with the last submitted form. Save a hidden field with the unique id of that particular submission then save them into the session. If it encounters the same unique id in the form that is in the session, it is likely a duplicate submission. Otherwise, save the new unique id into the session.
The downside of that approach is when someone wants to change the information that they entered into a form by traveling back to it via the back button and altering it. In that case, an interesting way to do it would be to actually compare the form values using the session. This would be done by imploding the $_POST array or making a foreach loop that implodes the array with both the keys and values included (to avoid glitches).
The last approach is to simply stop them from being able to use the back button to re-submit the data. This can be done with the 'Location' header by technically "replacing" the page with the posted information with a different page (or itself).
To generate the code i usescottayy wrote: Also, to make the captcha image generate a new image, add a random string to the page that generates the image, to prevent caching.
Code: Select all
echo '<img src="captcha.php?randomString=' . md5(microtime()) . '" alt="Captcha Image" />';
Code: Select all
<?
error_reporting(E_WARNING);
if(function_exists('session_start')) session_start();
$name = "secCode"; // session variable name
srand((double) microtime() * 1000000);
$secCode = '';
for($i = 0; $i < 6; $i++) $secCode .= rand(0, 9);
$_SESSION[$name] = $secCode;
echo $_SESSION[$name];
?>Code: Select all
if(isset($_POST['secCode']) && isset($_SESSION['secCode']) && $_POST['secCode'] == $_SESSION['secCode'] )
{
// correct security code, now validate name and other field
}as quoted by you "add a random string to the page that generates the image, to prevent caching." how to implement on the script i am using?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
That destroys the whole purpose of the catpcha, you know.kkonline wrote:i am using text based number display rather than image (as images are cached by browser) now on pressing the back button i still get the same text code display ...
He's saying that if you add a random string to the end of *any* URL, and it will prevent the caching from showing the same data.kkonline wrote:as quoted by you "add a random string to the page that generates the image, to prevent caching." how to implement on the script i am using?
ok, now i understand what you and scottayy mean. However when i write
to append a random string on the secure code (captcha script) in the SOURCE CODE i get
the following
rather than the actual value of randomstring which should be appended.
What is the problem with the code?
Code: Select all
<?php echo "<img src='/includes/seccode.inc.php?randomString=' . md5(microtime()) . '' width='71' height='21' align='absmiddle'>" ?></td>the following
Code: Select all
<img src='/includes/seccode.inc.php?randomString=' . md5(microtime()) . '' width='71' height='21' align='absmiddle'></td>What is the problem with the code?