Hi, I would like to create a form using php that would submit information to a mysql database. I was wondering if anyone has tips on how I should secure the form so that I do not get spammed with entries into the database. Your advice would be greatly appreciated.

I have an idea: Make it so that a user can only add one item each time they visit the website or clear their cookies. Here's some code:

<?php
session_start();
if ($_SESSION['spamcheck']) {
     die('You have already submitted data to this database!');
     // Or put whatever you like as an error message here, if you don't
     // use die();, then be sure to use the "exit;" command after you
     // display the error.
};

// Add your form code and MySQL processing here. 
// Add the following line -after- the MySQL process
// has completed successfully.

$_SESSION['spamcheck'] = TRUE;
?>
Comments
Helpful post with high-quality code example and comments.

Sp!ke offers a nice solution to help prevent people from multiple posting. Thanks, Sp!ke! :)

Jdmml, do you want to restrict public access to your form altogehter? If so, then you must password-protect the script or the entire directory. You can employ security at the web-server level, but how you do that depends on what web server you are using. IIS on Windows, Apache on Windows, Apache on Linux, etc. Look up "security" or "password protect" for whatever webserver you use. If using Apache, check out the .htaccess file feature.

Another option is to "roll your own" security. You can write a PHP password-protection script. Good news is, I've done most of this work for you already. Check out my PHP Session & Password-Protection Class at http://www.troywolf.com/articles.

And now for more than you asked for.
The thing to understand about script-based protection is that you can only protect script pages. That is, consider a PHP-based protection system involving a PHP include file that you include in every script you want to protect. Well you can't include that protection into a PDF file or Microsoft Excel file or an image file such as .gif or .jpg. BUT...what you can do is to put all those non-PHP files into a non web-accessible directory then write a PHP script that opens those files and streams them to the browser as needed. (That is a bit more advanced topic, but not too difficult.)

Hi, thanks for all the help. I am going to employ the idea from Sp!ke. THe problem is I would like everyone to have access to the form, however I need to find a way to keep my database from being filled with spam. Advanced users will know how to change their IP address and delete cookies. I was wondering if anyone knew how projects such as mediawiki deal with this problem, since users can freely edit the pages in wikis. How do they manage their database? Do they make constant backups of it?

Since I am only allowing users to submit to a database and not edit or delete, do you think I could somehow monitor the new entries?

MediaWiki, although all of its pages are freely editable, yes, they make constant backups to ensure somebody doesn't come in and just delete everything. For your purposes, I'd recommend adding a MySQL column named "approved" or something similar, and writing simple PHP to check if "approved" is TRUE, or is equal to 1. Those that are not approved can be dislayed on a password-protected PHP page which only you can access, like Troy here described (very nicely, might I add), and then a link, possibly, next to each one, something like "Approve | Deny". Deny would change the "approved" column in the database to -1, and Approve might change it to 1.

This article has been dead for over six months. Start a new discussion instead.