Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Nov 2002
    Posts
    161
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Stop Mailform Flooding

    I've written a basic mailform on my site. Very basic indeed, it's PHP and uses mail() I haven't even set up a block on blank entries for names, subject, message and so on yet. I know how to do that I just haven't got round to it.

    However it has been flooded a couple of times, once by an innocent user on a slow connection hitting submit a few times and a couple of times by an idiot just clicking submit about 40 times on a blank form.

    How best would you prevent multiple submitting like this?

    I've put this in this forum because I would rather do it server side than use Javascript and the site already uses PHP on every page.

  • #2
    Regular Coder
    Join Date
    May 2003
    Location
    34° 54' N 82° 13' W
    Posts
    996
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If you want them to be able to send an email every now and them, set a cookie using the setcookie() function. Once the cookie expires, they will be able to use the form to send an email again. It's not very secure as someone can delete the cookies, but not most people know how to do it or will do that.
    Stevie Peele
    Neverside IRC Network - irc.veonex.net | tc.tutorialnetwork.org
    #dev - any programming,etc. question
    #design - design discussion and critque
    #central - general chat
    Come join us!

  • #3
    me'
    me' is offline
    Senior Coder
    Join Date
    Nov 2002
    Location
    Warwickshire, England
    Posts
    1,229
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If you want to go the database route, you could create a new database entry with their IP and enter the current time and date, and when they next post, you can look up their IP in your database, and if it's there then compare the current date and time with the stored one, and see if a certain amount of time has passed.

    Again this isn't totally secure as people have changable IPs.
    Last edited by me'; 12-22-2003 at 04:31 PM.
    David House - Perfect is achieved, not when there is nothing left to add, but when there is nothing left to take away. (Antoine de St. Exupery).
    W3Schools | XHTML Validator | CSS Validator | Colours | Typography | HTML&CSS FAQ | Go get Mozilla Now | I blog!

  • #4
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    1. get your valuechecking straight. There is realy no excuse for putting something like that on a live server without value checking. If you take a look around, you'll probably find some nive email-regex and for the other fields, .
    2. just supply a dynamically created image (inside the image, you have a number or alphanumeric value they need to type in in a textbow as 'validation-key'). You can then store a hashed version of that value (using the sessionID as salt) inside a hidden formfield in the form. Not bulletproof but it will stop your regular idiot.
    3. If it needs to be tighter: store image- value and sessionID inside a db and before processing a form, select the record with that sessionID and value (from the textbox). After processing the form, set a flag (update column'mailed' to Now() or so) Before loading the form, check if the sessionID already had a mail and when. You can add some extra checks against cookies or checkingon the IP (<hich will indeed stop some people, but not your serious abuser)
    4. If you want it still tighter : require them to log in, or to have cookies enable and check if they have a persistent cookie (with hashed userID in), or if they have an allowed staticIP (least secure)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •