stackoom
  简体   繁体   中英

Issue with Cookies (PHP)

 原文  2013-01-29 23:25:10       php/ cookies

Question

I'm having a realing strange issue. Well, on my website i have a feedback and comment system, both use cookies to prevent people send a lot of comments (mass spam), blocking write a comment or feedback a post for example 30 seconds. If they disable cookies they can't comment or feedback. I use the system with a JQuery script using an process in PHP to don't refresh the page.

First problem - For some reason, on localhost (hosted in my house) it works fine, blocking people. But on host, if i upload the scripts (if i want to do an update, for example), it stops work, i can comment as much as i want, it will not block. But it's just on my computer (as i tested, on my brother's notebook and at my work works fine) I also tested on IE, Firefox and Chrome. But after some days (random, 1-4) it starts to work fine. But if i update the script (even don't changing THAT script), backs the issue.

Second problem - On vote (feedback) and comment system, if the 'block system' works fine, it will block the user for 30 seconds. But, when i submit the comment, clicking very fast at the first second, it will submit twice. Like, do 2/3 (sometimes 4) times the same comment. But if i try to comment again before the 30 seconds, it will block. How can i prevent people do duplicates submits?

Here is some codes to you, it should help.

comments.php 

if (isset($_COOKIE["AbleCookie"])) //prevent disabled cookies
{
    if (!isset($_COOKIE["time"])) //verify if the cookie time (to block comment) has been set
    {
        if (strlen($Comentario) != 0)
        {
            if (strlen($Comentario <= 500))
            {
              ob_start(); //need this?
              setcookie("time", "anyvalue", time()+$Segundos);
              ob_end_flush();

                if (isset($Usuario))
                {
                    $acharUsuario = "select query";
                    $resultado = mysql_query($acharUsuario, $conexao) or die (mysql_error());
                    $ExisteUsuario = mysql_num_rows($resultado);

                    if ($ExisteUsuario != 0)
                    {
                        $UsuarioID = mysql_result($resultado, 0, 'id_usuario');

                        $InserirComentario = "insert query";
                        mysql_query($InserirComentario, $conexao) or die (mysql_error());

                        $Mensagem = "Correct";
                    }
                }
                else
                {
                    $InserirComentario = "insert query";
                    mysql_query($InserirComentario, $conexao) or die (mysql_error());

                    $Mensagem = "Correct";
                }
            }
            else
              $Mensagem = "<h3>Your comment must has less than 500 characters.</h3>";
        }
        else
          $Mensagem = "<h3>To comment something, you have to write something, right?</h3>";
    }
    else
      $Mensagem = "<h3>You just can do another comment after $Segundos seconds!</h3>";
}
else
  $Mensagem = "Something went wrong! Please, take a look on our <a href='../faq'><b>FAQ</b></a>!";

echo $Mensagem;
$Mensagem = "";

not-refresh.js 

function InserirComentario(){
var uname = $('#PostComentario').val();
var postid = $('#CommentPostID').val();
var dataString = 'post_comentario='+ uname + '&comment_postid='+ postid;

    $.ajax({
        type: "POST",
        url: "sucess/comments.php",
        data: dataString,
        cache: false,
        success: function(result){
                    if (result=='Correct')
                {
                  document.getElementById("PostComentario").value = "";
                }
                    else
                {
                  $("#ComentariosFullPost").html(result);}
                },
        error: function(xhr, ajaxOptions, thrownError){
          alert("Error Status: " + xhr.status + " Thrown Errors: "+thrownError);
        }
    });}

Thanks in advanced.

2 answers

solution1
 0  2013-01-29 23:37:32

First off, don't use cookies to prevent a user state. They can be altered or in this case completely removed thus circumventing the applications ability to prevent input.

Switch it over to a quick PDO look-up to find out when the user posted - add a new column if you need to with the posts IP address and username - and validate against that.

Or use a JavaScript query to do a 30 second countdown to prevent the initial request and then the DB to prevent double clicking the button.

Do your best to stay away from cookies though unless you have too, they're too easy to manipulate and at a later date; get stolen.

solution2
 0  2013-01-29 23:37:35

cookies are not going to stop a spammer. Log the ipaddress with a timestamp and check that (for example). You are making it too complicated for yourself and way too easy to overcome for spammers.

This is an example of how you can check the number of posts by one ipadress: 

//check posts
$ip = ip2long($_SERVER['REMOTE_ADDR']);
$q = $db->prepare("SELECT COUNT(id) as num FROM `posts` 
                   WHERE `ipaddress` = ? && time > ?");
$q->execute( array( $ip, strtotime("-30 seconds") ) );

$numberOfPosts = $q->fetch(2);
$numberOfPosts = $numberOfPosts['num'];

if( $numberOfPosts > 0 ){
 //not allowed
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Issue with Setting Cookies PHP PHP cookies redirect issue php cookies issue PHP issue with cookies on server php cookies related issue Bluehost (or PHP Script) Issue With Cookies PHP cookies issue, not including language file PHP curl: Can't get site content - cookies issue? Cookies PHP PHP and cookies
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM