Jump to content

Recommended Posts

As the page is processed store the time within a session variable, then when they submit the form you can perform a bit of simple math between the current time() and the time stored within the session to check whether it's exceeded 30 seconds.

When validating the users submission of the form:

$_SESSION['last_clicked'] = strtotime("now");

 

Check if they are able to submit the form:

if ($_SESSION['last_clicked'] < strtotime("-30 seconds")) {
// Show Button
} else {
// Don't show button
}

You need to store the time of the last action in a database of some kind (mysql, flat-file...). If you use a session, all someone needs to do is drop the session id, get a new session, and they can bypass the time value that was stored in old session.

ok i have a timestamp in mysql for everything submitted ..

 

 

here is how i insert a submit... how do i change it so you have to wait 30seconds to insert again.

 

 <?php // Create MySQL login values and
// set them to your login information.
$username = "Master";
$password = "pword";
$host = "localhost";
$database = "db";

// Make the connect to MySQL or die
// and display an error.
$link = mysql_connect($host, $username, $password);
if (!$link) {
    die('Could not connect: ' . mysql_error());
}

// Select your database
mysql_select_db ($database); 

// Make sure the user actually
// selected and uploaded a file
         $username = mysql_real_escape_string($_POST['username']);
       $hyperlink = mysql_real_escape_string($_POST['hyperlink']);
	$name = mysql_real_escape_string($_POST['name']);
	$summary = mysql_real_escape_string($_POST['summary']);
	$info = mysql_real_escape_string($_POST['info']);
$keywords = mysql_real_escape_string($_POST['keywords']);

      // Create the query and insert
      // into our database.
      $query = "INSERT INTO Stacks";
      $query .= "(`username`,`hyperlink`,`name`,`summary`,`info`,`keywords`) VALUES ('$username','$hyperlink','$name','$summary','$info','$keywords')";
  
      $results = mysql_query($query, $link);
      

if($query){ 
  
  


print "<br><font color=white>Your webpage has been uploaded.  <a href='submit.php'>Return to Submit Page</a></font>"; }
else {
print "No image selected/uploaded";
}


      


// Close our MySQL Link
mysql_close($link);
?>

how would i do this? 

 

 

you have to wait 30 seconds to use submit button again for each  individual user.

 

 

like in forums.. u have to wait 30 seconds inbetween posts

 

I've done it using cookies. I usually have php check the cookie prior to submitting if they have a cookie more than an x amount of time it gives them an error when they submit. Once they are allowed to submit just update the cookie.

how would i do this? 

 

 

you have to wait 30 seconds to use submit button again for each  individual user.

 

 

like in forums.. u have to wait 30 seconds inbetween posts

 

I've done it using cookies. I usually have php check the cookie prior to submitting if they have a cookie more than an x amount of time it gives them an error when they submit. Once they are allowed to submit just update the cookie.

 

 

how do i do that

I've done it using cookies. I usually have php check the cookie prior to submitting if they have a cookie more than an x amount of time it gives them an error when they submit. Once they are allowed to submit just update the cookie.

 

What? That's less secure than the session method! The user could just change or remove the cookie...

People can hack your cookie by using the address bar of the web browser.

 

Type 'Javascript: alert(document.cookie);' into your address bar and you'll see how easy it is.

 

Your best bet is using the database method.

i've applied a timestamp to each reply in the database..

 

now how do i apply that to the submit button

 

<input type='submit' name='submit' value='Submit'>

 

$posted = $row_data['posted'];  <<<this is timestamp

 

how do i do

 

if $posted less than 30 seconds between previous $posted, then don't show submit button

I've done it using cookies. I usually have php check the cookie prior to submitting if they have a cookie more than an x amount of time it gives them an error when they submit. Once they are allowed to submit just update the cookie.

 

What? That's less secure than the session method! The user could just change or remove the cookie...

 

It's only a 30 second timer. If you really want it to be secure, then probably database. I'm guessing you'll have to record the ip or id of the user and timestamp when the button is clicked. Then compare the ip or id and timestamp when the user comes back to the page. Then again the user might be able to just register another account within 30 seconds and click the submit button or go through a proxy and click the submit button within 30 seconds.

You need to store the time of the last action in a database of some kind (mysql, flat-file...). If you use a session, all someone needs to do is drop the session id, get a new session, and they can bypass the time value that was stored in old session.

 

Combine with common anti-CSRF techniques and you'll have fixed it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.