php timer to only allow user input every two seconds

Question

I am programming a website where you can post stuff. This works with the following jQuery ajax:

    $.ajax({
        type: 'POST',
        url: 'action/post.php',
        data: 'posttext='+posttext+'&imageurl='+imageurl,
        success: function(feedback){
            $('#feedback').val(feedback);
        }
    });

Now I wonder: anyone could write his own ajax to post something to the site and do this over and over again. How do I prevent this? I am sure I would need some kind of security check in post.php - I already heard about http referer, but that can be modified so it's not really trustworthy.

Also I would like to add a timer in post.php that makes sure that a post from the same ip address can only be posted once every x seconds, and resets the timer if the post is sent below x seconds (kind of like stack overflow does it with the comments).

Does anyone know how to secure the ajax and also how set the timer? Or any other ideas how to secure the posting mechanism?

Thank you!

Dennis

Answer 1

Your best approach would be to store your information in a database. You could have 4 fields in a table:

ipAddress, submitDate, postText, imageUrl

Upon submission, check if there's an entry in the DB for the current IP Address. If so, compare the entry's submit date with the current date and if it is over your threshold allow the submission. Otherwise, issue an error message and redirect the user back.

This still isn't foolproof however, since the IP Address can also be spoofed or the user can be hiding behind a proxy.

Answer 2

just store the IP and the request time in a log file. Then check the log file on each request for existance of that IP and compare the time stored.

Here's a simple script which only allows a request from the same IP after 10 seconds:

$waitSeconds = 10;
if (allowRequest($waitSeconds)) {
    // allowed
    echo "Welcome.";
} else {
    // not allowed
    echo "Please wait at least $waitSeconds after your last request.";
}
echo '<hr /><a href="#" onclick="location.reload(true);return false">try again</a>';

function getLastRequestTimeDiff($ip = null, $logFile = null)
{
    if ($ip === null) {
        // no specific ip provided, grab vom $_SERVER array
        $ip = $_SERVER["REMOTE_ADDR"];
    }
    if ($logFile === null) {
        // no specific log file taken
        $logFile = "./lookup.log";
    }
    if (!is_file($logFile)) {
        // touch
        file_put_contents($logFile, serialize(array()));
    }
    // read content
    $logContent = file_get_contents($logFile);
    // unserialize, check manual
    $lookup = unserialize($logContent);
    // default diff (f.e. for first request)
    $diff = 0;
    // current timestamp
    $now = time();
    if (array_key_exists($ip, $lookup)) {
        // we know the ip, retrieve the timestamp and calculate the diff
        $diff = $now - $lookup[$ip];
    }
    // set the new request time
    $lookup[$ip] = $now;
    // serialize the content
    $logContent = serialize($lookup);
    // and write it back to our log file
    file_put_contents($logFile, $logContent);
    // return diff (in seconds)
    return $diff;
}

// encapsulate our function in a more simple function (allow yes/no)
function allowRequest($allowed = 10, $ip = null, $logFile = null)
{
    $timeDiff = getLastRequestTimeDiff($ip, $logFile);
    return $timeDiff >= $allowed;
}