Restrict form submission for n times

[ankur0101]

Hi,

Suppose I have a form where I am accepting mobile number from users and showing such as

show.php?m=9999999999

 

Now what I want is that any person / visitor can submit form or go to above URL with different numbers only 10 times, after that he will get error message stating Visitors maximum quota reached.

And I want to restrict any queries from that IP for next 6 hours.

 

I am confused, how to do that ?

[Andy-H]

I assume you're sending text messages, are you sure restrictions on IP addresses are the best way to go? You may be better off restricting on a per-user basis, as multiple users could use the same computer.

[AbraCadaver]

The only way to do this without the user being able to get around it is to make them login.  Even making them login can be gotten around if they signup multiple times with different ids.

 

You could use a session var or a cookie, however the user can delete their cookies.  IPs may be shared by many people and it will change if you go from your house to Starbucks.

[ankur0101]

 

 

I assume you're sending text messages, are you sure restrictions on IP addresses are the best way to go? You may be better off restricting on a per-user basis, as multiple users could use the same computer.

 IPs may be shared by many people and it will change if you go from your house to Starbucks.

You got a point. We can restrict on IP and visitor's Web Browser.

I am going to provide specific service which registered users can use n number of times but free users can use only 10 times then they would have to wait for 30 minutes. After than they can again use for 10 times and again wait.

 

Using java scripts, we can gather users' OS, Screen resolution. This is not going to be exact way to differentiate users sitting on same IP.

What are other options ?

[Andy-H]

Javascript can be disabled, so I wouldn't recommend relying on it for something like this, how important is it that each person only gets 10 hits every 30 minutes? No matter what you do you're always going to get the odd few.

 

You could use a combination of IP address and user agent (you don't need javascript for this), i.e.

 

access_logs

id ip_address user_agent created_at

 

Then do something like:

 

<?phpfunction clientIP() {  if ( filter_var($_SERVER['HTTP_CLIENT_IP'], FILTER_VALIDATE_IP) ) {    return $_SERVER['HTTP_CLIENT_IP'];  } elseif ( filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) ) {    return $_SERVER['HTTP_X_FORWARDED_FOR'];  }  return $_SERVER['REMOTE_ADDR'];} // if user is logged in don't do this, they can use more than 10 timestry {  // create mysql connection  $dbh  = new PDO('mysql:dbname=test;host=127.0.0.1', 'root', '');  $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, true);  // prepare statement  $stmt = $dbh->prepare('SELECT COUNT(*) FROM access_logs WHERE ip_address = ? AND user_agent = ? AND created_at >= (NOW() - INTERVAL 30 MINUTE) LIMIT 10');  $stmt->execute(array(clientIP(), $_SERVER['HTTP_USER_AGENT']));  $row  = $stmt->fetch(PDO::FETCH_NUM);  // now we have times used in last 30 minutes  $times_used = (int)$row[0];  if ( $times_used == 10 ) {    $errors[] = 'You can only use this 10 times every 30 minutes, to remove this restriction <a href="/register.php">Register now!</a>';  } else {    // allow it    // insert new record for IP / user agent  }} catch ( PDOException $e ) {  // handle error}

 

Not tested.

Edited August 29, 2013 by Andy-H

[ankur0101]

 

You could use a combination of IP address and user agent (you don't need javascript for this), i.e.

 

access_logs

id ip_address user_agent created_at

I was thinking about the same. Practically we cannot detect unique visitor.

There might be a case where 2 users are under same IP, using same browser and user_agent will show same text. So in that case, I thought of detecting user's screen resolution.

I know again there is a possibility of 2 guys using same IP, same user_agent and same size of monitors.