Flood protection on a form

[runnerjp]

im using a ajax form and basicly its easy to flood the form..

 

so what i did was type up this bit of code

<?php if (!isset($_REQUEST['Submit'])) {
//stop flooding
$query = "SELECT max(`time`) as t FROM messages WHERE reciever='$reciever' AND sender='$username'";
$res = mysql_query($query);
if(!$res) die("Query: $query\nError: ".mysql_error());
$lastMessageTime = mysql_num_rows($res) == 1 ? array_shift(mysql_fetch_array($res)) :
    0;
if ($lastMessageTime > 0 && $lastMessageTime < strtotime('+2 Minutes', $timestamp)) {
    $errors[] = 'Please wait 2 minutes between each message';
}?>

 

the thing is it does not work, no errors or anything but it does not show the error message and allows re submittance of the form, right away ?!?!?!

 

in the db time is stored as time();

 

[Zhadus]

How are you inserting it into the database originally?

[runnerjp]

like so

<?php
$timestamp = time();
   $update = mysql_query("INSERT INTO messages (time,reciever, sender, subject, message) VALUES('$timestamp','$reciever', '$username', '$subject', '$message')") or
                die(mysql_error());?> 

[premiso]

Do you do any checking before running that statement?

 

If not, there is your answer. You need to do a check before you run the insert statement.

[runnerjp]

but it inserts as i can get the data and time by doing this

 

<?php 
$time = $inbox['time'];
$time1 = date("F j Y, g:i a", $time); echo $time1;
?>

 

the problem is using it as the flood prevention

[runnerjp]

bmp

[runnerjp]

i have tried finding the error

<?php     //Get their private message count
    $sql = mysql_query("SELECT pm_count FROM users WHERE Username='$reciever'");
$res = mysql_query($sql);
   // $row = mysql_fetch_array($sql);
if (!$res)
{
   $errmsg = mysql_errno() . ' ' . mysql_error();
   echo "<br/>QUERY FAIL: ";
   echo "<br/>$sql <br/>";
   die($errmsg);
}
?>

which gives the following output

QUERY FAIL:
Resource id #12
1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Resource id #12' at line 1

butim confused by what Resource id #12 is

[9three]

You dont really need to know what #12 means. Just know that you have an SQL error

 

$sql = mysql_query("SELECT pm_count FROM users WHERE Username='$reciever'");
$res = mysql_query($sql);

 

Do you see the error? You are querying a query.

[runnerjp]

oh yes opps lol.

 

i dont seem to be able to find why the flood control does not work :S  any 1 see why

[runnerjp]

after running the following code

<?php if (!isset($_REQUEST['Submit'])) {
//stop flooding
$query = "SELECT max(unix_timestamp(`time`)) as t FROM messages WHERE reciever='$reciever' AND sender='$username'";
$res = mysql_query($query);
if (!$res)
{
   $errmsg = mysql_errno() . ' ' . mysql_error();
   echo "<br/>QUERY FAIL: ";
   echo "<br/>$sql <br/>";
   die($errmsg);
}
$num = mysql_num_rows($res);
if (!$num)
{
   echo "<br/>QUERY FOUND NO DATA: ";
   echo "<br/>$sql <br/>";
}
else
{
   echo "<br/>QUERY FOUND $num ROWS OF DATA ";
   echo "<br/>$sql <br/>";
}
if(!$res) die("Query: $query\nError: ".mysql_error());
$lastMessageTime = mysql_num_rows($res) == 1 ? array_shift(mysql_fetch_array($res)) :
    0;
if ($lastMessageTime > 0 && $lastMessageTime < strtotime('+2 Minutes', $timestamp)) {
    $errors[] = 'Please wait 2 minutes between each message';
} ?>

 

it says that i have QUERY FOUND 1 ROWS OF DATA ... so why does it not apply the code if i submit the code twice within 10 seconds

[runnerjp]

bmp

[runnerjp]

bmp

[premiso]

As I stated before, no where in the code you posted that checks if it has been 2 minutes do you either run the insert statement or deny it.

 

You need to move the insert statement into that code for this to work. Leaving it outside of it will allow it to run no matter what. Bumping will not help as that is the answer.