2

On my website, I have created a comment section for blog posts. Users can write comments, click a button, and an AJAX request will be sent to PHP containing the data in JSON. The PHP will process & validate the data and then insert it into the database. On success, all comments are retrieved from the database and, using JQuery, all of the page's comments are reloaded.

The problem is that anyone can come along and, using their browser's console, forge an AJAX request, fill in their own JSON, and send the request to PHP. If done like this, all that happens is my client-side validation is useless. The server-side validation would still work. However, there's a bigger problem.

for(var i = 0; i < 10000; i++) {
    //ajax request
}

The user can very easily insert thousands and thousands of records into my database instantly.

Does anybody have any suggestions on how I can prevent something like this from happening? It must involve creating something on the server side that can't be guessed by a user, and somehow checking against that during an AJAX request. I'm just not sure how exactly to go about this.

Thanks for the help.

Mark
  • 418
  • 1
  • 4
  • 13
  • 2
    Someone could do the same thing by simply looking to see the address the ajax requests are sent and writing a script in any language ( like a shell script and curl) to send continuous requests with data. Google "rate limiting on php". – Anthony Jun 02 '15 at 13:00

2 Answers2

1

The only way for you to be safe in this respect is to add a CAPTCHA.

This will prevent mass / automated posts. One possible library to use is Securimage . It is simple to use and integrate. You can have it running in 10 minutes with your AJAX stuff.

Relying on other means such as cookies or client side validation of some sort is risky, if possible at all. For instnace KA_lin 's solution can be compromised in 5 minutes: a malicious user can be sending forged cookies that will always have a page count of 0 and thus will always be allowed to post. Or even worse, he could create a small program that will post to your page without sending any cookie at all. The above code will create a new cookie and accept his post, every time ...

Community
  • 1
  • 1
Ioannis Loukeris
  • 300
  • 2
  • 10
0

I would add a session variable containing the number of posts a user makes, given many pages you can form something like $SESSION['page_id_total_nr_comments'] and track this number, add a config variable that let`s the use to add a maximum of X comments per article for example:

  function canUserAddComment($pageId){
    $maxAllowed =......;
    if(!isset($SESSION[$pageId+'_nr_comments'])){
        $SESSION[$pageId+'_nr_comments'] = 0;
    }
    if($SESSION[$pageId+'_nr_comments']< $maxAllowed){
        $SESSION[$pageId+'_nr_comments']++;
        return true;
    }
    return false;
  }

OR

On save get the number of comments a use already made on the article and decide if ha can make another(still with a config variable)

ka_lin
  • 9,329
  • 6
  • 35
  • 56