Protecting Submission Form from Flooding

**mmarkin** · 04-27-2003, 08:27 PM

Hello everyone;

I am working on a submission form and have finished the script but have not yet implemented any security features that would protect the form from being flooded. I would like to hear what techniques you use to accomplish such a task.

I do not want to rely on IP-logging alone because that might block legitimate users sharing the same external IP on a LAN. I thought of adding some kind of unique ID to each request. Are there any totally unique variables I can use in PHP to distinguish users? I dont want to use cookies; I want this to be totally server-side.

Any ideas?

Thanks a lot.

Mikhail

**sk8Krog** · 04-27-2003, 09:09 PM

use cookies. They would be put on the person's machine that submited something and others in the same LAN could still use it.

**dlowe93** · 04-28-2003, 12:11 AM

Originally posted by sk8Krog
use cookies. They would be put on the person's machine that submited something and others in the same LAN could still use it.

Better yet, use a local shared object. Not server side, but better than a cookie.

d.

**mmarkin** · 04-28-2003, 03:46 PM

Hmm... the thing is, such a cookie has to last up to a month. I was thinking of something more like a MAC address type of thing.

**dlowe93** · 04-28-2003, 03:52 PM

Originally posted by mmarkin
Hmm... the thing is, such a cookie has to last up to a month. I was thinking of something more like a MAC address type of thing.

Use a local shared object combined with a date object and you're done.

d.

**defuzz** · 04-28-2003, 07:44 PM

if you were desperate you could check the users IP address and only allow one submission from each IP.

If you're worried that people on networks who share IP's might have problems you could always allow just a certain number form each IP, poeple might still be able to send more than one but you could still restrict them to only x number of submissions.

I'd have thought cookies would be the easiest way though.

**mmarkin** · 04-28-2003, 08:50 PM

The problem with cookies is that most users clear their data every once in a while; cookies usually dont sit around for an entire month.

**defuzz** · 04-28-2003, 09:57 PM

they may well erase their cookies but its unlikely they'll keep erasing their cookies just so they can resubmit the form.

On the other hand if its for a competition or soemthing and you really want to restrict EVERYONE to ONLY one submission then maybe IPs would be the answer.

**mmarkin** · 04-29-2003, 03:57 PM

That is more like what I want to do; Its a survey. I am also aiming at protecting people of extracting the required variables from the page source and using those to submit thousands of fake results.

**defuzz** · 04-29-2003, 06:05 PM

you can use this PHP code to access a user's IP:

$variable_name = $GLOBALS['REMOTE_ADDR'];

**mmarkin** · 04-30-2003, 02:08 PM

Yes, I am aware of that...

**mmarkin** · 05-06-2003, 04:13 PM

Hi.

I am thinking out a security system for a form submission script. I was wondering if I should let the user know that their repeated submissions are not being accepted or if I should just say "thank you" and let them think that they're flooding my database. What do you guys do? What do you think should I do? I am very curious.

Thanks.

Mikhail

**JabezStone** · 05-06-2003, 04:52 PM

Mikhail,

I merged your new thread with this one you started last week, since it is still the same topic. Just keeping the Board clean.. thanks!

**mmarkin** · 05-06-2003, 07:37 PM

Sorry about that.... I thought it would be better to keep it separate when I opened it...

Mikhail

**Musicman** · 05-09-2003, 04:56 PM

Hi.

IP checking is quite unfair to those who use dynamic ip connections
Many people who are used to clear their cookies would not even know how to clear their local shared objects
In order to prevent extracting data from the form, you could use a flash form with a one-time mangling function

Musicman

**mmarkin** · 05-09-2003, 05:11 PM

Alright. Can anyone steer me in the right direction with those local shared objects? This is pretty much the first time I hear about those things.

Thanks.

Mikhail

**dlowe93** · 05-09-2003, 05:37 PM

Originally posted by mmarkin
Alright. Can anyone steer me in the right direction with those local shared objects? This is pretty much the first time I hear about those things.

Thanks.

Mikhail

Explanation here:

http://www.macromedia.com/support/fl...shared_object/

Tutorial w/source files here:

http://www.macromedia.com/support/fl...s/local_so.htm

It requires the Flash 6 player, but in my opinion it so much easier and reliable than using cookies.

d.

**mmarkin** · 05-09-2003, 05:40 PM

Thanks a bunch. I was hoping for something "standard", but I will take a good look at those.

Thanks again.

Mikhail

**dlowe93** · 05-09-2003, 05:48 PM

Originally posted by mmarkin
Thanks a bunch. I was hoping for something "standard", but I will take a good look at those.

Thanks again.

Mikhail

What do you mean by "standard"? I've done quite a bit with local SOs so feel free to email me if you have any questions.

d.

**mmarkin** · 05-09-2003, 05:55 PM

I meant no Flash - standard HTML/Server-side scripting.

Mikhail

Thread: Protecting Submission Form from Flooding

Thread Tools

Display

Protecting Submission Form from Flooding

Multiple Submission of Forms: Let the user know, or keep it secret?

Posting Permissions