12-22-2003, 01:54 PM
I've written a basic mailform on my site. Very basic indeed, it's PHP and uses mail() I haven't even set up a block on blank entries for names, subject, message and so on yet. I know how to do that I just haven't got round to it.
However it has been flooded a couple of times, once by an innocent user on a slow connection hitting submit a few times and a couple of times by an idiot just clicking submit about 40 times on a blank form.
How best would you prevent multiple submitting like this?
12-22-2003, 02:23 PM
If you want them to be able to send an email every now and them, set a cookie using the setcookie() (http://us2.php.net/setcookie) function. Once the cookie expires, they will be able to use the form to send an email again. It's not very secure as someone can delete the cookies, but not most people know how to do it or will do that.
If you want to go the database route, you could create a new database entry with their IP and enter the current time and date, and when they next post, you can look up their IP in your database, and if it's there then compare the current date and time with the stored one, and see if a certain amount of time has passed.
Again this isn't totally secure as people have changable IPs.
1. get your valuechecking straight. There is realy no excuse for putting something like that on a live server without value checking. If you take a look around, you'll probably find some nive email-regex and for the other fields, .
2. just supply a dynamically created image (inside the image, you have a number or alphanumeric value they need to type in in a textbow as 'validation-key'). You can then store a hashed version of that value (using the sessionID as salt) inside a hidden formfield in the form. Not bulletproof but it will stop your regular idiot.
3. If it needs to be tighter: store image- value and sessionID inside a db and before processing a form, select the record with that sessionID and value (from the textbox). After processing the form, set a flag (update column'mailed' to Now() or so) Before loading the form, check if the sessionID already had a mail and when. You can add some extra checks against cookies or checkingon the IP (<hich will indeed stop some people, but not your serious abuser)
4. If you want it still tighter : require them to log in, or to have cookies enable and check if they have a persistent cookie (with hashed userID in), or if they have an allowed staticIP (least secure)