Geek asks and answers

Php timer allowing user to enter only every two seconds

I am programming a website where you can publish materials. This works with the following jQuery ajax:

    $.ajax({
        type: 'POST',
        url: 'action/post.php',
        data: 'posttext='+posttext+'&imageurl='+imageurl,
        success: function(feedback){
            $('#feedback').val(feedback);
        }
    });

Now I ask myself: anyone could write their own ajax to publish something on the site and do it again and again. How can I prevent this? I am sure that I will need some kind of security check in post.php - I already heard about the HTTP referrer, but this can be changed, so it is not trustworthy.

I would also like to add a timer to post.php, which ensures that a message from the same ip address can only be sent every x seconds and resets the timer if the message is sent below x seconds (the kind of stack overflow does this with comments )

Does anyone know how to protect ajax as well as how to set a timer? Or any other ideas on how to provide a publishing mechanism?

Thank!

Dennis

+5
source share
2 answers

Your best approach is to store information in a database. The table can have 4 fields:

ipAddress, submitDate, postText, imageUrl

After sending, check if there is an entry in the database for the current IP address. If so, compare the posting date of the record with the current date and, if it exceeds your threshold, allow sending. Otherwise, issue an error message and redirect the user.

However, this is still not reliable, as the IP address can also be tampered with or the user may be hiding behind a proxy server.

+1
source

IP- . IP- .

script, IP 10 :

$waitSeconds = 10;
if (allowRequest($waitSeconds)) {
    // allowed
    echo "Welcome.";
} else {
    // not allowed
    echo "Please wait at least $waitSeconds after your last request.";
}
echo '<hr /><a href="#" onclick="location.reload(true);return false">try again</a>';

function getLastRequestTimeDiff($ip = null, $logFile = null)
{
    if ($ip === null) {
        // no specific ip provided, grab vom $_SERVER array
        $ip = $_SERVER["REMOTE_ADDR"];
    }
    if ($logFile === null) {
        // no specific log file taken
        $logFile = "./lookup.log";
    }
    if (!is_file($logFile)) {
        // touch
        file_put_contents($logFile, serialize(array()));
    }
    // read content
    $logContent = file_get_contents($logFile);
    // unserialize, check manual
    $lookup = unserialize($logContent);
    // default diff (f.e. for first request)
    $diff = 0;
    // current timestamp
    $now = time();
    if (array_key_exists($ip, $lookup)) {
        // we know the ip, retrieve the timestamp and calculate the diff
        $diff = $now - $lookup[$ip];
    }
    // set the new request time
    $lookup[$ip] = $now;
    // serialize the content
    $logContent = serialize($lookup);
    // and write it back to our log file
    file_put_contents($logFile, $logContent);
    // return diff (in seconds)
    return $diff;
}

// encapsulate our function in a more simple function (allow yes/no)
function allowRequest($allowed = 10, $ip = null, $logFile = null)
{
    $timeDiff = getLastRequestTimeDiff($ip, $logFile);
    return $timeDiff >= $allowed;
}
+1

More articles:


All Articles