adding multiple rows in mysql

Question

I have a big problem that somebody is attacking me by adding multiple rows into my db. Hes using the form I have on my website. I got about 2500 rows in my db and all rows were different. Its been generating by any script. Do you have any suggestions how I can fix it? this is my form I have on my website

<?php
if(isset($_POST['type'])) {$type = mysql_real_escape_string($_POST['type']);}
if(isset($_POST['ip'])) {$ip = mysql_real_escape_string($_POST['ip']);}
if(isset($_POST['port'])) {$port = mysql_real_escape_string($_POST['port']);}
$add_date = time();
if(isset($_POST['email'])) {$email = mysql_real_escape_string($_POST['email']);}
if(isset($_POST['web'])) {$web = mysql_real_escape_string($_POST['web']);}
if(isset($_POST['mod'])) {$mod = mysql_real_escape_string($_POST['mod']);}


echo "
<form action='#' method='post'>

<legend>Formulár pre pridanie serveru</legend>

<table>
<tr>
<td>
Hra:
</td>
<td>
<select name='type'>
<option value='cs16'>Counter Strike 1.6</option>
<option value='source'>Counter Strike Source</option>
<option value='csgo'>Counter Strike Global Offensive</option>
</select>
(vyberte hru)
</td>
</tr>

<tr>
<td>              
Typ:
</td>
<td>
<select name='mod'>";

$modes = mysql_query("SELECT * FROM `lgsl_modes`") or die(mysql_error());
while($modes_names = mysql_fetch_array($modes))
{
echo '<option value="'.$modes_names['mod'].'">'.$modes_names['name'].'</option>';
}

echo "</select>
(vyberte herný mód)
</td>
</tr>


<tr>
<td>              
IP serveru:
</td>
<td>
<input type='text' name='ip' value='' required>
(iba číslice a bodky)
</td>
</tr>

<tr>
<td>              
Port serveru:
</td>
<td>
<input type='text' name='port' value='' required>
(iba číslice)
</td>
</tr>

<tr>
<td>               
Web serveru:
</td>
<td>
<input type='text' name='web' value='' required>
(uvádzajte bez začiatočného http://)
</td>
</tr>

<tr>
<td>              
Váš email:
</td>
<td>
<input type='text' name='email' value='' required>
(kontaktný email)
</td>
</tr>

<tr>
<td>
<input type='submit' name='odoslat' value='Odoslať'>
</td>
</tr>
</table>            
</form>
";


if($ip) if(!preg_match("/^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$/",$ip)) $usermsgip="Ip adresa bola uvedená v zlom tvare.";
if($port) if(!preg_match("/^[0-9]{5}$/",$port)) $usermsgport="Port bol uvedený v zlom tvare.";
if($email) if(!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,})$/",$email)) $usermsgemail="Email bol uvedený v zlom tvare.";    
if($web) if(!preg_match("%^((https?://)|(www\.))([a-z0-9-].?)+(:[0-9]+)?(/.*)?$%i" ,$web)) $usermsgweb="Web bol uvedený v zlom tvare.";

if(isset($_POST['odoslat']) && $usermsgip || $usermsgport || $usermsgemail || $usermsgweb) {
if($usermsgip) echo $usermsgip."<br>";
if($usermsgport) echo $usermsgport."<br>";
if($usermsgemail) echo $usermsgemail."<br>";
if($usermsgweb) echo $usermsgweb."<br>";
}


if(isset($_POST['odoslat']) && !$usermsgip && !$usermsgport && !$usermsgemail && !$usermsgweb) {
$kontrola = mysql_query("SELECT * FROM `lgsl` WHERE `ip`='".$ip."' AND `c_port`=".$port);                                                                                  
if(mysql_num_rows($kontrola)) {echo "Server už bol pridaný do banlistu.";}
else { 
mysql_query("INSERT INTO `lgsl` (`type`, `ip`, `c_port`, `q_port`, `disabled`, `add_date`, `email`, `web`, `mod`) 
VALUES ('$type', '$ip', '$port', '$port', '1', '$add_date', '$email', '$web', '$mod')");
echo 'Server bol úspešne odoslaný na schválenie.';
} 
} 
?>

Answer 1

I think you should rewrite the whole script using PDO. With Pdo you can avoid SQL-Injection in easy way. Here's a link where you can find that and all the web is full of guide and examples.

Anyway if you want to fix your script you can use Captcha to avoid automatic form submit and a library to sanitize input.

Here you find a simple captcha example and a good sanitize library.

You can whatch here some good tips to solve problems.

Hope this helps.