Page 1 of 1

Flood protection

Posted: Sun Sep 09, 2007 4:37 am
by kkonline
I have a form which send data in the db, I am using a text number as verification, also i am using a flood protection script i got on net, it logs ip and the time in db; and then works.

IP addresses are easiest to spoof using simple techniques..

Now if user presses the back button on browser the text number (captcha) remains same and can submit the form again after 10 secs. period of flooding. How to prevent??

Posted: Sun Sep 09, 2007 4:45 am
by s.dot
Store a timestamp in $_SESSION.
Compare timestamps with time() function on submission.

Also, to make the captcha image generate a new image, add a random string to the page that generates the image, to prevent caching.

Code: Select all

echo '<img src="captcha.php?randomString=' . md5(microtime()) . '" alt="Captcha Image" />';

Posted: Sun Sep 09, 2007 4:50 am
by kkonline
scottayy wrote:Store a timestamp in $_SESSION.
Compare timestamps with time() function on submission.
how will that help because by the time i compare time on the processing page it will not match.

I am not clear what exactly you mean by comparing timestamp ;

should i store time in session on the form and then send it as hidden value to processing page and then compare
One more thing, if the user presses back button then what will be value in the session the CURRENT value or the value that was posted previously?

Posted: Sun Sep 09, 2007 7:05 am
by superdezign
Don't compare with time()... scottayy was thinking right, but probably just ended up writing it wrong.

You have a few choices (that I'd recommend). One of them is to do as scottayy said with comparing some sort of unique id such as the timestamp with the last submitted form. Save a hidden field with the unique id of that particular submission then save them into the session. If it encounters the same unique id in the form that is in the session, it is likely a duplicate submission. Otherwise, save the new unique id into the session.

The downside of that approach is when someone wants to change the information that they entered into a form by traveling back to it via the back button and altering it. In that case, an interesting way to do it would be to actually compare the form values using the session. This would be done by imploding the $_POST array or making a foreach loop that implodes the array with both the keys and values included (to avoid glitches).

The last approach is to simply stop them from being able to use the back button to re-submit the data. This can be done with the 'Location' header by technically "replacing" the page with the posted information with a different page (or itself).

Posted: Sun Sep 09, 2007 10:47 am
by kkonline
scottayy wrote: Also, to make the captcha image generate a new image, add a random string to the page that generates the image, to prevent caching.

Code: Select all

echo '<img src="captcha.php?randomString=' . md5(microtime()) . '" alt="Captcha Image" />';
To generate the code i use

Code: Select all

<?
  error_reporting(E_WARNING);
  if(function_exists('session_start')) session_start();

  $name = "secCode";          // session variable name

  srand((double) microtime() * 1000000);
  $secCode = '';

  for($i = 0; $i < 6; $i++) $secCode .= rand(0, 9);
  $_SESSION[$name] = $secCode;

  echo $_SESSION[$name];
?>
in the processing page i use

Code: Select all

if(isset($_POST['secCode']) && isset($_SESSION['secCode']) && $_POST['secCode'] == $_SESSION['secCode'] ) 
      		{
		      // correct security code, now validate name and other field
}
i am using text based number display rather than image (as images are cached by browser) now on pressing the back button i still get the same text code display ...
as quoted by you "add a random string to the page that generates the image, to prevent caching." how to implement on the script i am using?

Posted: Sun Sep 09, 2007 11:14 am
by superdezign
kkonline wrote:i am using text based number display rather than image (as images are cached by browser) now on pressing the back button i still get the same text code display ...
That destroys the whole purpose of the catpcha, you know.
kkonline wrote:as quoted by you "add a random string to the page that generates the image, to prevent caching." how to implement on the script i am using?
He's saying that if you add a random string to the end of *any* URL, and it will prevent the caching from showing the same data.

Posted: Sun Sep 09, 2007 10:02 pm
by kkonline
ok, now i understand what you and scottayy mean. However when i write

Code: Select all

<?php    echo "<img src='/includes/seccode.inc.php?randomString=' . md5(microtime()) . '' width='71' height='21' align='absmiddle'>" ?></td>
to append a random string on the secure code (captcha script) in the SOURCE CODE i get

the following

Code: Select all

<img src='/includes/seccode.inc.php?randomString=' . md5(microtime()) . '' width='71' height='21' align='absmiddle'></td>
rather than the actual value of randomstring which should be appended.

What is the problem with the code?

Posted: Sun Sep 09, 2007 10:11 pm
by feyd
Notice how the "code" is red? That usually means it's apart of the string.

Posted: Sun Sep 09, 2007 10:14 pm
by kkonline
feyd wrote:Notice how the "code" is red? That usually means it's apart of the string.
feyd i can understand that the code has some probelm, can you help me fix it or write the correct way.

Posted: Sun Sep 09, 2007 10:23 pm
by feyd
I told you what's wrong with the code. You need to figure out the fix yourself because I'm pretty sure you've been given links to the pages concerning your problems with strings before.