PHP Temporarily Banning An IP

Question

I'm creating a contact form for my company and I want to make it as spam-proof as possible. I've created a honey pot + session checking, but I also want to make it so that it's only possible to submit the form once every x minutes. In other words, banning the IP from using the form for x amount of time.

What is the best solution to do this?

I can think of a few but none of them seem ideal.

Answer 1

Store the users IP in a database every time the form is submitted, along with the timestamp. When a user submits the form, first check the database to see if they submitted within the timeframe.

Some problems could arise from large networks where users could the same IP though. It depends on the target audience, really.

Answer 2

Database. Store the IPs in there and timestamp them.

Answer 3

A nice approach I've seen being used on some blogs is to use JavaScript to protect against bots. Like in the onsubmit() event change the method of a form from GET to POST. You can do other magic too. Bots are very inept at executing JavaScript so you can use that to your advantage.

On the other hand - this might hurt the 0.0000001% of users that don't have JavaScript enabled. Well, your choice really. :)

Answer 4

If you don't mind restricting the form to cookie-enabled browsers (eliminating some "browsers" aka bots I assume), you could do something like this:

Form page loads, it checks for a session variable with a timestamp. If none is found, it creates one and redirects to the same page, but with a GET parameter specifying "action=start" or something. So on the second load, if you see $_GET['action'] == 'start', you can check for that session variable. If you don't find one, you can redirect elsewhere saying cookies are required.

Now you can check the timestamp and do something else if it's been too soon.

This method will at least allow the same IP, since if you're dealing with a large group of people behind a firewall you don't have to block the whole group.

Answer 5

The database thing is probably your best bet, because it doesn't require them to allow anything, it just logs their data. The only issue with that is that they could be masking their IP or hitting it from multiple places. I'd try cross-referencing the IP on their session/cookie with the database. If the same person is hitting your site really fast from the same IP address it'll be obvious, but if you create a user ID as well, you can see if they're rapidly switching IP addresses.

Answer 6

It also wouldn't hurt to have some kind of cron script (or at least a tool written and on standby) ready to cleanup a mess that does manage to get through. For my site I'm writing one to flag exactly identical submissions from multiple ips within a very small timespan (Within 10 seconds).

At the very least you could write some queries to show questionable submissions to the comment form.