Prevent bots to query my database several times_问答_开发者

Prevent bots to query my database several times

开发者 https://www.devze.com 2022-12-29 08:02 出处：网络

I\'m building an application that is a kind of registry.Think about the dictionary:you lookup for a word and it return something if the word is found.Now, that registry is going to store valuable info

I'm building an application that is a kind of registry. Think about the dictionary: you lookup for a word and it return something if the word is found. Now, that registry is going to store valuable informations about companies, and some could be tempted to get the complete listing. My application use EJB 3.0 that replies to WS.

So I was thinking about permits a maximum of 10 query per IP address per day. Storing the IP address and a counter on a table that would be empty by a scri开发者_StackOverflow中文版pt every night.

Is it a good idea/practice to do so? If yes, how can I get the IP address on the EJB side? Is there a better way to prevent something to get all the data from my database? I've also though about CAPTCHA but I think it's a pain for the user, and sometime, they are difficult to read even for real human.

Hope it's all clear since I'm not english...

Thanks Alain

I'd say the limit of 10 query per day per IP is not very good. Take into account that many people may share the same public IP.

Although it's not 100% accurate you could analyze if an unusual amount of request are coming from the same IP in a short period of time. In case that your alarm sounds, you show a CAPTCHA.

An alternative is to put an unique request based token in a hidden field of the form which you store in the session scope and then compare that on submit of the form. That would filter out the bots which doesn't maintain the session and that are already pretty much.

To go a step further, you could add a timestamp to the request based token and then check if the form is submitted within reasonable time, e.g. 5 seconds (at least the fastest time a normal human can enter and submit the form). That would filter out another bots which usually instantly fills and submits the form in subsecond. Another advantage of this is that in case of a very smart bot that it is then forced to take it more easy with firing lot of subsequent requests.

I would at least not rely on the IP address. It comes with too much external disturbing factors.