-5

I just want a code that can stops a user from submitting a form continuously

example if the user is a kind of an attacker . and I read that it can cause a DDOS attack too. (Correct me if I am wrong.)

Thanks it will really help me. If you give me some suggestions and advices.Thank you.

upvote
  • 55
  • 7
  • 1
    You can't prevent a DDOS-attack in PHP. The DDOS overkills your server with requests. Only after the requests got in PHP is called. Thus it's to late to do anything about it, when your php-scripts starts its work. – DocRattie Jul 07 '16 at 09:36
  • 2
    *I just want a code* -- Starting a question with this statement is the quickest way to attract downvotes – apokryfos Jul 07 '16 at 09:36
  • 2
    @apokryfos calling oneself `upvote` isn't better though :D – DocRattie Jul 07 '16 at 09:37
  • dont mind the small things, thanks everyone. @DocRattie, then what can you suggest? – upvote Jul 07 '16 at 09:40
  • @upvote If you want to prevent DDOS-attacks talk to your server-host and be ready to flash some cach for it. Otherwise you'll have a hard time to do anything against it. – DocRattie Jul 07 '16 at 09:42
  • thank you, @DocRattie, I will remember this – upvote Jul 07 '16 at 09:45
  • You could have javascript that disables a submit button after it has been submitted. However a determined attacker could bypass this easily. Preventing DDoS attack is a concern of a lower layer of the Internet model. – Jacob Mulquin Jul 07 '16 at 09:53
  • `Preventing DDoS attack is a concern of a lower layer of the Internet model.` what do you mean by that @mulquin – upvote Jul 07 '16 at 09:54
  • What about record very post IP and Time? ex:for every IP can only post 5 times in an hour. – Autodesk Jul 07 '16 at 10:01
  • @VinciDa IP adresses are by no means a valid way to assert the identity of a user. For example, whole student dorms are often NAT-ed behind a single public IPv4 address. On the other hand, I personally own a whole /48 IPv6 block, which means I can use as many as 2^80 different addresses. – RockTheShow Jul 07 '16 at 10:10

1 Answers1

0

You can use a captcha or a randomly-generated hidden token in order to enforce the expected flow chain, i.e. avoid direct form submissions using curl or any HTTP request forgery tool. This will also help you get protected against the CSRF exploit.

You will check the consistency of the token before executing the [supposedly heavy] logic of processing the actual form (database accesses, e-mail notifications, etc.).

However, as other users pointed out, this will NOT prevent the HTTP server from receiving and dispatching the malicious requests, and spawning a PHP process. Better than nothing though.

RockTheShow
  • 328
  • 1
  • 2
  • 10
  • I am using an csrf token. i am just curious about continuously sending the form. thank you! – upvote Jul 07 '16 at 10:13
  • Don't forget to invalidate the token in the user's session after the form which spawned it has been submitted once – RockTheShow Jul 07 '16 at 10:15