[SOLVED] form problem

[Lambneck]

i have a new form online that after the user submits its data

it is then displayed on another page.

problem is last night someone was bored and decided to fill in the

form with "lsjdflkjsdflhsjhdfsdlkh"

the person did this 32 times taking about a total of 45 minutes.

(they even bothered to fill in the required email field with "lksdjflk@ksjflsj.com")

so on the output page there listed 32 times submissions like "skdfhskjdfhlk"

 

anyone have a suggestion as to how i can stop this from happening again?

[budimir]

Couple of ideas from me:

 

1.) You can use CAPTCHA

2.) You can use sleep() to delay entering new info (so it will take a lot longer for that person to do it like that)

3.) You can use IP logging and put delay if a form is submitted twice from same IP ()

4.) You can use domain validation for email adress

 

 

But, there is no good way from preventing a user to enter shit info. You can just slow down entering a lot of shit to DB.

 

[Acs]

Sure, check for the ip when submitting. Insert into a table the ip of the person that submitted and put a time stamp, when someone is submitting check if the ip is in that table and if N amount of time has passed, let's say 5 minutes. If it hasn't don't accept the data that person is submitting.

 

Or

 

If you must have a valid email, try sending an mail to the e-mail given for confirmation, and only after the user has confirmed he or she is a real person do you then submit the data.

 

Hope this helps

[PFMaBiSmAd]

It was likely done by a bot script. What existing measures do you have in place to insure that your form page is actually being used to submit to your form processing code?

 

Using sleep() on the server only slows down the page generation of one instance of the web page. Because web servers are multitasking and create a separate instance for each http request, doing this has no effect except to possibly make legitimate visitors wonder why your web site is so slow to perform an action. Bot scripts don't look and don't care what web pages do. They make http requests to submit data to the form processing page.

[Lambneck]

I do have a captcha on this form shouldnt that protect against a bot?

 

 

[budimir]

Yes, but CAPTCHA was cracked few weeks ago!!!

 

So, maybe they tested it on you!!!

[Lambneck]

oh no!! I'm ****ed!! what do i do!!??!

[budimir]

Well, I liked the idea from Acs ...

 

Try that one!

 

It seems good enough. Although I don't know what kind of site you are running, that would be helpfull to give you some ideas!

[PFMaBiSmAd]

Image captcha's are fairly easy to crack, especially if all the characters are in a nice neat constant line and the noise on the image can be easily filtered out. For example, read this thread (all the characters were the same size/shape/color/contrast/orientation and in a nice neat line) - http://www.phpfreaks.com/forums/index.php/topic,218655.0.html

 

Question/answer captcha's, where there are a fairly large number of different randomly picked questions, with something in each question being random itself (what is x [randomly selected] plus y [randomly selected], type the following word [randomly selected] and replace [a randomly picked character a-z that exists in it] with [a different randomly specified character], type the name of the shape in the [randomly picked position] out of the following shapes [randomly selected]...) are more effective, especially if the random question is output as text on an image that must be decoded before the question can be figured out and answered.