Question : How to limit ip address to a PHP form

I have a PHP form which is used for contact.

I really would not like to add one of those image challenge things and penalise the honest users.

The problem is that a person wrote a coldfusion bot to attack it sending many requests with the same ip.

I wonder if I could put some logic, say session logic, to count the number of hits from the same ip and when it reaches, say 100 hits, then block the request.

Or would there be a PHP library to achieve that? Control the number of hits from the same ip to a php page.

Thanks.

Answer : How to limit ip address to a PHP form

I see this question has gone into "neglected status."

The correct answer is still the CAPTCHA image, but you might be able to get away with a form token.  It should prove more reliable than the IP address, but less reliable than CAPTCHA.  Here is my teaching example of how to use a form token.  

Best of luck with it, ~Ray
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:

<?php // RAY_form_token.php
error_reporting(E_ALL);

// DEMONSTRATE THE USE OF A FORM TOKEN TO UNIQUELY IDENTIFY FORMS



// NOTE - YOU MUST START THE SESSION ON EVERY PAGE!
session_start();



// CREATE AN IDENTITY IN THE FORM
function make_form_token()
{
    // A RANDOM STRING
    $string    = "CHANGE THIS IF YOU WANT" . time() . $_SERVER["SCRIPT_FILENAME"] . "?";

    // MAKE A MESSAGE DIGEST OF THE STRING TO USE AS A TOKEN
    $token     = md5($string);
    $_SESSION["_form_token"]    = $token;
    return $token;
}



// EVALUATE THE IDENTITY IN THE FORM
function check_form_token($token='')
{
    // CHOOSE THE TOKEN WE WANT TO TEST
    if ($token === '')
    {
        $token = $_POST["_form_token"];
    }

    // COMPARE OUR CURRENT TOKEN TO THE SESSION STORED TOKEN
    if ($token == $_SESSION["_form_token"])
    {
        // MUNG THE TOKEN TO ENSURE THAT IT CAN ONLY BE USED ONCE
        $_SESSION["_form_token"] = md5($_SESSION["_form_token"]);
        return TRUE;
    }
    return FALSE;
}



// MODIFY THIS IF YOU WANT A FRIENDLY FORM TOKEN ERROR
function form_token_error()
{
    die("Form Token Error");
}



// DEMONSTRATE HOW THIS WORKS
// SESSION IS REQUIRED - SEE ABOVE WHERE WE STARTED THE SESSION
// session_start();

// CHECK FOR FORM INPUT
if (!empty($_POST))
{
    // SHOW THE FORM TOKEN
    $token = $_SESSION["_form_token"];
    echo "<br />THE FORM TOKEN IS $token ";
    if ( check_form_token() )
    {
        echo "AND IT IS VALID.\n";
    }
    else
    {
        echo "AND IT IS NOT VALID.\n";
    }
    
    echo "<br />Refresh this screen to resend the data and you can see a form token error.\n";
}



// END OF PHP - PUT UP A FORM TO ILLUSTRATE THE USE OF THE TOKEN
?>
<br /><br />
Click GO to see the form token.
<form method="post">
<input type="hidden" name="_form_token" value="<?=make_form_token()?>" />
<input type="submit" name="submit" value="Go!" />
</form>
Random Solutions  
 
programming4us programming4us