Can anybody help me to build a form where I can put a limitation that if I click on the form once, than I cannot do that again for next 5 minutes.the form has only one fiels that is email address.

The easiest way is using database to store the last form submit time by an IP.

Here's the idea:

create table timer(
  ip varchar(255),
  timestamp int
)
$ip=mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$time=time();
$timeout=time()-5*60;

mysql_query("DELETE FROM timer WHERE timestamp<$time");

$r=mysql_query("SELECT * FROM timer WHERE ip='$ip'");
if(mysql_num_rows($r)>0) 
{
    die("You've already submitted this form in the past 5 minutes");
} else {
    mysql_query("INSERT INTO timer (ip,timestamp) VALUES ('$ip', $time)");
    //process the form
    //.....
}

The easiest way is using database to store the last form submit time by an IP.

Here's the idea:

create table timer(
  ip varchar(255),
  timestamp int
)
$ip=mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$time=time();
$timeout=time()-5*60;

mysql_query("DELETE FROM timer WHERE timestamp<$time");

$r=mysql_query("SELECT * FROM timer WHERE ip='$ip'");
if(mysql_num_rows($r)>0) 
{
    die("You've already submitted this form in the past 5 minutes");
} else {
    mysql_query("INSERT INTO timer (ip,timestamp) VALUES ('$ip', $time)");
    //process the form
    //.....
}

You may also want to save a cookie on the users browser with the value of their IP. This way, if the users IP changes, you can still keep track of users on dialup.

so the php part could look like:

$last_ip = isset($_COOKIE['last_ip']) ? mysql_real_escape_string($_COOKIE['last_ip']) : '';

$ip=mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$time=time();
$timeout=time()-5*60;

//mysql_query("DELETE FROM timer WHERE timestamp<$time");
// i think this should be...
mysql_query("DELETE FROM timer WHERE timestamp<$timeout");

$r=mysql_query("SELECT * FROM timer WHERE ip='$ip' OR ip='$last_ip' LIMIT 1");
if(mysql_num_rows($r)>0) 
{
    die("You've already submitted this form in the past 5 minutes");
} else {
    mysql_query("INSERT INTO timer (ip,timestamp) VALUES ('$ip', $time)");
    //process the form
    //.....
}

// set current IP in case it had changed on the next submit
setcookie("last_ip", $ip);

note: tracking IP and cookies is not foolproof.. some users will still be able to submit multiple times.. but it will stop most..

You may also want to save a cookie on the users browser with the value of their IP. This way, if the users IP changes, you can still keep track of users on dialup.

so the php part could look like:

$last_ip = isset($_COOKIE['last_ip']) ? mysql_real_escape_string($_COOKIE['last_ip']) : '';

$ip=mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$time=time();
$timeout=time()-5*60;

//mysql_query("DELETE FROM timer WHERE timestamp<$time");
// i think this should be...
mysql_query("DELETE FROM timer WHERE timestamp<$timeout");

$r=mysql_query("SELECT * FROM timer WHERE ip='$ip' OR ip='$last_ip' LIMIT 1");
if(mysql_num_rows($r)>0) 
{
    die("You've already submitted this form in the past 5 minutes");
} else {
    mysql_query("INSERT INTO timer (ip,timestamp) VALUES ('$ip', $time)");
    //process the form
    //.....
}

// set current IP in case it had changed on the next submit
setcookie("last_ip", $ip);

note: tracking IP and cookies is not foolproof.. some users will still be able to submit multiple times.. but it will stop most..

Thank you! php_daemon and digita-ether both. I will implement this but what does that mean by "this is not full proof", what should i do it to make it fullproof.
Thanks!

Thanks for correcting my lil mistake and taking it a step further, digital-ether ;)

Thank you! php_daemon and digita-ether both. I will implement this but what does that mean by "this is not full proof", what should i do it to make it fullproof.
Thanks!

It's not foolproof because the IP can still be changed and the cookie can be deleted.

Making it foolproof is quite a challenge without a user membership present.

Hi,

Now I am using the session with the membership system. The users table has the row call transaction_time for storing the time of the last form processing.

Will you please guide me now.

Here is what I did and it seems to work but I haven't use IP and cookie i just use session. Is this good or insecure?

if ($_POST['process_form'] == 1) {
   if($session->transaction_time < time()){
 
             [B]process form...................[/B]
             $time = time(); 
             $next_time = $time + 2*60; 
             $database->updateUserField($session->username,"transaction_time",$next_time);

    }
   else {
      die("You can only make one transaction in 2 minutes.");
    }
}

Regards!

Hi,

Now I am using the session with the membership system. The users table has the row call transaction_time for storing the time of the last form processing.

Will you please guide me now.

Here is what I did and it seems to work but I haven't use IP and cookie i just use session. Is this good or insecure?

if ($_POST['process_form'] == 1) {
   if($session->transaction_time < time()){
 
             [B]process form...................[/B]
             $time = time(); 
             $next_time = $time + 2*60; 
             $database->updateUserField($session->username,"transaction_time",$next_time);

    }
   else {
      die("You can only make one transaction in 2 minutes.");
    }
}

Regards!

Yes, you're setting the timer for a specific user, it's a secure enough way to ensure the timer is not avoided.

Hi,

Now I am using the session with the membership system. The users table has the row call transaction_time for storing the time of the last form processing.

Will you please guide me now.

Here is what I did and it seems to work but I haven't use IP and cookie i just use session. Is this good or insecure?

if ($_POST['process_form'] == 1) {
   if($session->transaction_time < time()){
 
             [B]process form...................[/B]
             $time = time(); 
             $next_time = $time + 2*60; 
             $database->updateUserField($session->username,"transaction_time",$next_time);

    }
   else {
      die("You can only make one transaction in 2 minutes.");
    }
}

Regards!

That is a good way.
You could also use the IP address and a cookie like described before with the "user session" based system you're using now...

It really depends on what you are trying to achieve (Why you are limiting sending the form).

In different scenarios you would use different things...

If you are trying to stop bot based spamming of some service on your website such as a forum, then this may not be enough. The reason is that a spammer can log in as a different user and spam the forum.
(Logging into your forum can take a very short time if the user is a bot, even less than 1 second..., thus spam around 100 messages in 2 minutes ).
For this, you would be better using a CAPTCHA, which is an image that bots find hard to read, but people see instantly. (captcha's are not foolproof also, but the reasoning behind them is that it takes too much processing power on a computer to read multiple captchas when spamming).
Its also good to log IPs when using CAPTCHAs, as bots that are smart enough to read the captcha can be figured out if their IP pops up more than once withing the time limit you set. (Cookies are useless on bots, they will usually ignore it or set some fake value).

If you are trying to avoid spam from actual users and not bots, like when users are logged into a forum and repost twice (sometimes without knowing) then the solution works fine, as by the time the user logs out and re-login as someone else, 2 minutes would have gone past.
So you would use the session based system you currently use for this scenario.

Just thinking about it, I think I should probably list a few methods you can use, and others can add to the list...

1) Session / User based restriction
2) IP based restriction
3) Cookie based challenge-response
4) Captcha based challenge-response
5) SSL connection
6) Confirmation page challenge-response

"Session / User based restriction" is what you're using.
"IP based restriction", "Cookie based challenge-response" and "Captcha based challenge-response" was mentioned before...

And SSL connection makes sure the server is sending information to who requested it.

"Confirmation page challenge-response" is when the sever sends back a confirmation page after the form is submitted. The confirmation page will contain a form, with a hidden field with a unique value for that form submission (Usually a md5 or sha1 hash).
This makes sure the response from the server reaches the client (and thus was generated from that client) and also slows down bots.
This is more effective used with SSL.

This article has been dead for over six months. Start a new discussion instead.