How Do You Prevent Constant Posts To A PHP Script?

  • (2 Pages)
  • +
  • 1
  • 2

16 Replies - 768 Views - Last Post: 14 July 2013 - 01:53 PM Rate Topic: -----

#1 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 762
  • Joined: 31-August 11

How Do You Prevent Constant Posts To A PHP Script?

Posted 03 July 2013 - 02:36 PM

So scripts that are posted to and output data how can you keep these from being posted to constantly? I was thinking of adding a pause or using a global variable or something? You could also store in a session the last post method and if it's less than like one second you don't do anything. What do people here use if anything? Is this important?
Is This A Good Question/Topic? 0
  • +

Replies To: How Do You Prevent Constant Posts To A PHP Script?

#2 kim_barcelona555  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 54
  • Joined: 01-July 13

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 03 July 2013 - 04:43 PM

What do you mean? Does it trigger upon reloading?
Was This Post Helpful? 0
  • +
  • -

#3 EternalHour  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 29-June 13

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 03 July 2013 - 04:51 PM

What you could do is put a hidden field inside the form that holds a time stamp of when the user submitted the form. Such as:

$submit_time  = time();

<input type="hidden" name="submit_time" value="<?=$submit_time?>





Then in your processing code you would do something like:


$current_time = time();

if ($current_time) strtotime($_GET['submit_time']) >= 240 * 3600) {

//Form processing Code..

} else {

echo "Form has been resubmitted too soon.";

}



Don't depend on the syntax, but hopefully you get the idea.
Was This Post Helpful? 0
  • +
  • -

#4 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2982
  • View blog
  • Posts: 10,299
  • Joined: 08-August 08

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 03 July 2013 - 08:40 PM

A hidden field will work but if a hacker is targeting your site they'll be able to see it. Better to use a session variable and/or ip address but even they aren't fool proof. You might use a captcha. I'm not a fan of Google (they track me - and you - too much) but recaptcha is good.
Was This Post Helpful? 1
  • +
  • -

#5 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,225
  • Joined: 08-June 10

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 03 July 2013 - 09:25 PM

View Postadn258, on 03 July 2013 - 11:36 PM, said:

So scripts that are posted to and output data how can you keep these from being posted to constantly?

question: by the same user? (then see advices above).

on the other hand side, servers are supposed to handle hundreds of requests per second.
Was This Post Helpful? 1
  • +
  • -

#6 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 762
  • Joined: 31-August 11

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 04 July 2013 - 01:55 AM

View PostDormilich, on 03 July 2013 - 09:25 PM, said:

View Postadn258, on 03 July 2013 - 11:36 PM, said:

So scripts that are posted to and output data how can you keep these from being posted to constantly?

question: by the same user? (then see advices above).

on the other hand side, servers are supposed to handle hundreds of requests per second.



I'm not too worried about it on my forms as most of them use a captcha code (there's one I coded that works great), what I'm worried about mostly are my scripts that I use with ajax. For instance on a part of my website the user can click next in a row of columns which will show the next group of articles from my mysql database table i.e. their title etc.

nothing keeps a user from posting to this script a bunch of times for nothing in a sort of DOS attack (of course if they were doing it too fast the company I use has hardware to detect this and they would likely be blocked) so like you said (they can handle hundreds of requests per minute etc) maybe I am worrying about this too much?

Just out of curiosity though especially with something like AJAX like loading articles back and forth when you click next and previous how can you slow down posts to the script? Of course I could require a captcha code before clicking next and previous but that voids the entire purpose of why they are there which is to allow users to easily press next and previous in an article category!!
Was This Post Helpful? 0
  • +
  • -

#7 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,225
  • Joined: 08-June 10

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 04 July 2013 - 02:42 AM

Quote

Just out of curiosity though especially with something like AJAX like loading articles back and forth when you click next and previous how can you slow down posts to the script?

you do that inherently, JS needs time to do the AJAX post-/preprocessing and it is single threaded (so while in processing, it doesnt do anything else (WebWorkers excluded)).


PS. for the server, there is absolutely no difference between a standard page request, a form submit or an AJAX request.
Was This Post Helpful? 1
  • +
  • -

#8 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3718
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 04 July 2013 - 09:42 AM

If you are worried about the AJAX routes being flooded, try making it a requirement that a session is active for the AJAX request to be processed, and then create a time delay before it'll actually process any requests. Then you can use the session to track how frequently each user is requesting a page, and if they are being accessed too frequently you can add a delay to that as well, or simply cancel the requests.

That way, the user causing the flood will either have to keep recreating a session, which will take forever with the time delay, or he'll have to maintain a session and flood you with that session active, in which case you can track and delay/cancel those as well. Whatever he does, it'll be no good. Meanwhile, normal users will only see the initial time delay, which I doubt they'll even notice. (Well, it won't cause any great trouble for them at least.)

Consider something like this:
class AjaxSessionManager
{
    public function __construct()
    {
        $this->initialize();
        $this->handleTimeDelay();
        $this->handleFlooding();
        
        $_SESSION["ajax_last_request"]= microtime(true);
    }
    
    private function initialize()
    {
        if (session_status() != PHP_SESSION_ACTIVE) {
            session_start();
        }
        
        if (!isset($_SESSION["ajax_enabled"]) || !$_SESSION["ajax_enabled"]) {
            $_SESSION["ajax_enabled"] = true;
            $_SESSION["ajax_last_request"] = 0.0;
            $_SESSION["ajax_ignored_requests"] = 0;
            $_SESSION["ajax_start_time"] = microtime(true);
        }
    }
    
    /**
     * Checks if there is time remaining until the initial 1 second time delay
     * is up, and if there is, stop the request from proceeding, passing the
     * remining time back to the client as a JSON property.
     */
    private function handleTimeDelay()
    {
        $timeDelay = $this->getRemainingTimeDelay();
        if ($timeDelay !== false) {
            header("HTTP/1.0 403 Forbidden");
            header("Content-type: application/json; charset=UTF-8");
            echo json_encode(array(
                "delay_remaining" => $timeDelay
            ));
            
            exit;
        }
    }
    
    /**
     * Returns the remaing time delay, or a boolean FALSE if there is no
     * delay remaining.
     *
     * @return double|bool
     */
    private function getRemainingTimeDelay()
    {
        if (isset($_SESSION["ajax_start_time"])) {
            $secondsSinceStart = microtime(true) - (double)$_SESSION["ajax_start_time"];
            if ($secondsSinceStart < 1.0){
                return 1.0 - $secondsSinceStart;
            }
            else {
                return false;
            }
        }
        else {
            $_SESSION["ajax_start_time"] = microtime(true);
            return 1.0;
        }
    }
    
    /**
     * Checks if the current request was issued to freqently to be a normal
     * user request, and stops it if it is.
     */
    private function handleFlooding()
    {
        if (microtime(true) - (double)$_SESSION["ajax_last_request"] < 0.5) {
            // If this happens frequently, you may want to alert an admin
            // or log it, or something.
            if ($_SESSION["ajax_ignored_requests"] == 100) {
                $msg = "User at '" . $_SERVER["REMOTE_ADDR"] . "' has more than 100 requests ignored due to flooding.";
                error_log($msg, 1, "admin@yoursite.example.com", "From: no-reply@yoursite.example.com\r\n");
            }
            ++$_SESSION["ajax_ignored_requests"];
           
            header("HTTP/1.0 403 Forbidden");
            exit;
        }
    }
}


The Javascript code would have to be expecting a 403 response with the "delay_remaining" property set, and halt for the duration of the delay before proceeding with new requests. (It's such a short delay, in any case, that the user would never notice.)

You may be considering just doing a sleep(1); for the requests that initializes the session, instead of the Javascript delay, but keep in mind that a sleep operation ties up the HTTP worker or CGI process handling the script execution for the duration, which would actually make it easier for an attacker to bring your server to a crawl.


You could also have the handleFlooding function in there manipulate a .htaccess file to block the suspect IP on the HTTP server level, which would be far more effective than exiting from PHP.
private function handleFlooding()
{
    if (microtime(true) - (double)$_SESSION["ajax_last_request"] < 0.5) {
        if ($_SESSION["ajax_ignored_requests"] == 100) {
            $file = "/var/www/.htaccess";
            $line = "Deny from " . $_SERVER["REMOTE_ADDR"] . "\n";
            file_put_contents($file, $line, FILE_APPEND);
        }
        ++$_SESSION["ajax_ignored_requests"];
       
        header("HTTP/1.0 403 Forbidden");
        exit;
    }
}


Of course, this could backfire if the IP is not unique; if it belongs to some popular anonymous proxy, or a ISP proxy covering a big area. I personally would avoid doing this, but I'll leave that decision up to you. - Also note that the $_SERVER["REMOTE_ADDR"] is only the simplest of the IP detection headers. Some proxies use other headers to pass on the original IP. You'd want to look into that if you do this.
Was This Post Helpful? 1
  • +
  • -

#9 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 762
  • Joined: 31-August 11

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 04 July 2013 - 02:29 PM

Thanks Atli and thanks Dormlich.

Atli I really appreciate your input. I think I will take your advice and avoid something like this altogether as it's a waste I almost feel. So as Dormilch said essentially when someone clicks that next button for instance which uses a PHP script the script as to finish anyway.

Basically what you're saying is measures like this for the most part this is probably a waste of time and it isn't necessary in most cases these days am I correct? At least in your opinion?
Was This Post Helpful? 0
  • +
  • -

#10 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 762
  • Joined: 31-August 11

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 05 July 2013 - 11:33 AM

What's the reason you "WOULDN'T" use one of these measures?
Was This Post Helpful? 0
  • +
  • -

#11 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 762
  • Joined: 31-August 11

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 09 July 2013 - 10:52 AM

Also wouldn't even using something like your session idea above for this be a complete waste of time? What keeps the user from simply closing the browser to expire the session (or the malicious program) and then making requests again?
Was This Post Helpful? 0
  • +
  • -

#12 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2982
  • View blog
  • Posts: 10,299
  • Joined: 08-August 08

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 09 July 2013 - 11:41 AM

View Postadn258, on 09 July 2013 - 01:52 PM, said:

What keeps the user from simply closing the browser to expire the session (or the malicious program) and then making requests again?

Nothing, but that requires them to start over. If you require posters to log in or take other steps to post (captcha) then that would be a problem for them. ;)
Was This Post Helpful? 0
  • +
  • -

#13 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 762
  • Joined: 31-August 11

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 09 July 2013 - 02:35 PM

View PostCTphpnwb, on 09 July 2013 - 11:41 AM, said:

View Postadn258, on 09 July 2013 - 01:52 PM, said:

What keeps the user from simply closing the browser to expire the session (or the malicious program) and then making requests again?

Nothing, but that requires them to start over. If you require posters to log in or take other steps to post (captcha) then that would be a problem for them. ;)/>


True but this whole thing seems like more of an annoyance than it's worth. Do you use something like this? Also perhaps this is just the whole usability vs security which is in everything related to computer security, but I don't want a user to actually "login" to simply click next on my news articles which loads up the next group using ajax. Perhaps I'm just worrying about this too much?
Was This Post Helpful? 0
  • +
  • -

#14 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3718
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 09 July 2013 - 03:33 PM

If you are only talking about protecting your site from users being able to bombard your AJAX data request routes and cause performance issues, then there is no need to login. The method I posted above would protect against that just fine. You would only really need a login/captcha check if the user is meant to be able to post things.
Was This Post Helpful? 0
  • +
  • -

#15 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 762
  • Joined: 31-August 11

Re: How Do You Prevent Constant Posts To A PHP Script?

Posted 13 July 2013 - 04:10 PM

View PostAtli, on 09 July 2013 - 03:33 PM, said:

If you are only talking about protecting your site from users being able to bombard your AJAX data request routes and cause performance issues, then there is no need to login. The method I posted above would protect against that just fine. You would only really need a login/captcha check if the user is meant to be able to post things.



See I don't want to do that though friend. I have these articles conveniently laid out on my homepage and I don't want people to have to enter a captcha code to be able to look through my articles on my homepage like a normal homepage.

Perhaps I should add just a simple mandatory 1 second or half second delay for being able to request/show new articles using the next button? This way at least that would prevent constant posts?
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2