开发者

Using a randomly generated token for flood control

开发者 https://www.devze.com 2023-01-03 02:46 出处:网络
Basic setup of my site is: user enters a message on the homepage, hits enter and the message is sent though a AJAX开发者_运维百科 request to a file called like.php where it echo\'s a link that gets se

Basic setup of my site is: user enters a message on the homepage, hits enter and the message is sent though a AJAX开发者_运维百科 request to a file called like.php where it echo's a link that gets sent back to the user.

I have made the input disable when the user presses enter, but there's nothing stopping the user from just constantly flooding like.php with POST request and filling up my database.

Someone here on SO told me to use a token system but didn't mention how. I've seen this being done before and from what I know it is effective.

The only problem I have is how will like.php know it's a valid token? My code is this at the moment:

$token = md5(rand(0, 9999) * 1000000);

and the markup:

<input type="hidden" name="token" value="<?php echo $token ?>" />

Which will send the token to like.php through POST. But how will like.php know that this is a valid token? Should I instead token something that's linked to the user? Like their IP address? Or perhaps token the current minute and check that it's the same minute in like.php...

Any help on this amtter would be greatly appreciated, thanks. :)


The best way is to use session variables because users can't delete them or modify them as easily as a form element. Or better yet, store the IP address and the time in the database and look it up to see if the user can post again yet.


Don't reinvent the wheel - just look the last comment time from this user, defined by user_id, user_ip, whatever you have - and decide whether he allowed to post or not.


One minute seems like a length of time that is too long for most users to wait. Tabbed browsing, broadband Internet service and users' tendency to not read every piece of text they're presented all contribute to a mass of users who will most likely get bored after less than a minute of not doing anything.

I would definitely suggest storing the users' IP addresses.

0

精彩评论

暂无评论...
验证码 换一张
取 消