Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I protect against ajax-spam in PHP?

Tags:

ajax

php

spam-prevention

Good day,

I would like to know how to protect my website from ajax-spam. I'm looking to limit any ajax action per users. Let's say 8 ajax-actions per minute.

An example of an action would be: a button to add/remove a blog posts "as my favorites".

Unless I'm wrong, I believe the best way would be using $_SESSION's variable and to avoid someone/a bot to clear cookies to avoid my protection. I'm allowing ajax-functions only to logged-on users.

Using database would make my protection useless because it's the unwanted database's writes I'm trying to avoid.

I have to mention that I actually use PHP as server-language and jQuery to proceeds my ajax calls.

Thank you

Edit:

The sentense

... to protect my website ...

is confusing but it's not about cross-domain ajax.

Edit 2011-04-20: I added a bounty of 50 to it.

like image 280
Cybrix Avatar asked Mar 04 '11 16:03

Cybrix

People also ask

How can I make AJAX call secure?

AJAX calls are itself protect CSRF using “Common Origin Policy” when CORS is disabled and JSONP requests are blocked. To prevent CSRF attack one step ahead, we can implement Anti Forgery token similar to MVC framework. AJAX calls can be called from web application as well as from MVC. In MVC, @html.

Does AJAX work with PHP?

Start Using AJAX Today In our PHP tutorial, we will demonstrate how AJAX can update parts of a web page, without reloading the whole page. The server script will be written in PHP. If you want to learn more about AJAX, visit our AJAX tutorial.

Is AJAX encrypted?

Since AJAX calls are encrypted with a session key, AJAX queries cannot be sent directly to the server. If an attempt is made to send queries directly, the response given by the page will be "Forbidden," as the page expects to receive encrypted text in the AJAX call.

1 Answers

Since you're only allowing AJAX actions to logged in users, this is really simple to solve.

  • Create a timestamp field for each account. You can do this in the database, or leverage Memcached, or alternatively use a flat file.
  • Each time the user makes a request through your AJAX interface, add the current timestamp to your records, and:
  • Check to make sure the last eight timestamps aren't all before one minute ago.

From there you can add additional magic, like tempbanning accounts that flagrantly violate the speed limit, or comparing the IPs of violators against blacklists of known spammers, et cetera.

like image 161
Winfield Trail Avatar answered Sep 24 '22 23:09

Winfield Trail
Sign in to Comment

Related questions

Execute php script before every php script?
PHP: Custom error handler for PDO?
PHP redirect based on HTTP_HOST/SERVER_NAME within same domain
Split XML in PHP
Creation of edge detection based image in PHP
Does FILTER_VALIDATE_EMAIL make a string safe for insertion in database?
What do I need to know before I can call myself a PHP programmer? [closed]
pixel font size in imagettftext instead of point size
I have a class with 14 static methods and 4 static properties - is that bad?
Add values to one array after explode function
What is Closures/Lambda in PHP or Javascript in layman terms? [duplicate]
MySql speed of executing max(), min(), sum() on relatively large database
array_push into a multi-dimensional array
Getting the Facebook creation date of a profile [duplicate]
Which framework to use: CodeIgniter, Symfony or CakePHP? [closed]
Download htaccess protected files using PHP and CURL
PHP APC module. Any disadvantages?
Download a image from SSL using curl?
how to secure POST method without using SSL?
Logging In To Joomla 1.5 Using External Form (not within joomla folder, but on same server)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!