Javascript/PHP form submit issue

[andyy15]

Hi everyone,
I have a form in which I want to enable a type of flood control where a user can only submit x amount of (5) times in a given period (1 hour). I came up with this code which uses cookies and javascript to attempt to solve this issue.

function AllowNoDups()
{
addtime = 60 * 60 * 1000 // 1 hour
expdate = new Date()
expdate.setTime(expdate.getTime() + addtime)
expdate = expdate.toGMTString()

   var cookie_ls = document.cookie;
   if (cookie_ls.indexOf(document.location) > -5) 
   {
      alert("You can only submit 5 times in 1 hour. Please wait 1 hour before you submit again.");
      return false;
   }
   else
   	{
      document.cookie = window.location.href + " from " + document.referrer + "; path=/; expires=" + expdate;"";
      return true;
   };
   };

The main concern would be to somehow delete/disable the cookie after 1 hour. After testing the above code I found that after 1 hour it would not let me submit again. Is there something wrong with the coding? Is there another way to do this using IP's and PHP? Using the cookie solution might not work if the user disables cookies.

I was trying out this php code to try to solve this issue in a different way using IP's and PHP:

$c = "SELECT * from `table_data` WHERE ip = '".$_SERVER['REMOTE_ADDR']."'"; 
  $c2 = mysql_query($c); 
     while($c3 = mysql_fetch_object($c2)) { 
      $difference = date() - $c3->date; 
     if($difference < 60) die('<u>ALERT:</u>Please wait 1 hour before you submit again<BR>'); 
      } //end while

where in table_data I have both the IP and date (in the form of 0000-00-00 00:00:00) stored after the submit button is pressed. This did not work. Also this code does not take into account how many times the user hits submit only takes into account the time.

Any suggestion with either the top code or the bottom code or a completely different solution would be greatly greatly appreciated.

Thanks

 

[monty]

Since users are still always able switch off JavaScript and the use of cookies, I would say this is far from a bulletproof way to go.

I would program it in PHP using sessions, this eliminates the possibility of turning of JavaScript, and since sessions also depend on a cookie to store the session id, to make it all more solid, you should add the session id as a query string to every link on your page.

 

[andyy15]

Thanks for the suggestion monty.
I will update the thread accordingly:

I have a form in which I want to enable a type of flood control where a user can only submit x amount of (5) times in a given period (1 hour).

I was trying out this php code to try to solve this issue using IP's and PHP:

$c = "SELECT * from `table_data` WHERE ip = '".$_SERVER['REMOTE_ADDR']."'"; 
  $c2 = mysql_query($c); 
     while($c3 = mysql_fetch_object($c2)) { 
      $difference = date() - $c3->date; 
     if($difference < 60) die('<u>ALERT:</u>Please wait 1 hour before you submit again<BR>'); 
      } //end while

where in table_data I have both the IP and date (in the form of 0000-00-00 00:00:00) stored after the submit button is pressed. This did not work. Also this code does not take into account how many times the user hits submit only takes into account the time.

I recently received a suggestion to
- Make a timestamp with the date/time 1 hour ago, call it $timestamp
- run this query:
SELECT Count(*) FROM table_data WHERE ip='".$_SERVER['REMOTE_ADDR']."'" AND timestampfield > '" . $timestamp . "'"

if your result >=5, dont process the form

How would I go about making a timestamp 1 hour ago and posting that to the database into the time field of the table (table_data)?

Also how would I go about writing a function that says "if your result >=5, dont process the form"

Any suggestions or a completely different solution would be greatly greatly appreciated.

Thanks