1

So we are building a website and created our basic information to send logins to our database. We have trouble trying to disallow requests that just plug their own data in.

E.g. 

http://testing.site.com/php/interfaces/User.php?Action=1&Email=test@gmail.com&FirstName=herp%20derp

By replacing email and firstname, they are able to add multiple users to the database and potentially with a script thousands. Is there any way to prevent this without using a captcha? We are trying to be very minimal and open with the site's design so would love some input if this is possible.

One option we have considered is moving our PHP offline and only allowing our API to access it- however it still presents the problem of users adding in authorised data (and overloading our database with thousands of multiple requests)

Jordan Richards
  • 532
  • 3
  • 18
user1675207
  • 11
  • 1
  • 1
    That is not something you should be doing over GET, use POST instead. Add one-time CSRF tokens to the form to prevent rapid repetitive submissions. In extreme cases you can also throttle submissions by IP - the more submissions come from a single IP, the longer you should take to process them. Also, see [this question](http://stackoverflow.com/questions/6553609/). – DCoder Sep 16 '12 at 05:31
  • add a token or api key to the authorized requests – Ibu Sep 16 '12 at 05:33

1 Answers1

0

Here is a sample option, create a table with 2 fields, one is an Auto Increment id and one is a random code, lets name them ID and CODE

When sending that request, create 1 record in that table and pass the ID and CODE along with request, when receiving the request, check if there is a record in database with that ID and CODE process the request and delete that record from database too and if there isn't that record, just ignore request ...

Night2
  • 1,168
  • 9
  • 18