flood detection

I have a php poll script in my website, and there's some idiot that uses some Perl/Java/script kiddie tool to post the script in a loop and manipulate the poll results.
How can I detect his flood through the script and ignore the post?
Until now the script would plant a cookie when you vote and if you try to vote again it would check if the cookie exists and if so it will ignore the vote, because the flooder uses some tool and not a browser the cookie is not planted...
The flooder uses more than one shell account to run his posting script so the IP's are different.

What can I do to detect the flooder and ignore him?
Who is Participating?
There can not be 100% fullproof way.
But few things you can try,

Ok, users need to create an account with an email not in the database. The person also has to verify this email to become a member.
You need to be a member to vote in the poll.

The poll script logs ip, and it won't allow voting from the same ip for next 10 minutes. [You have to do this cause IP doesnt remain same all the time for users.]

It also uses cookies.

So to vote more than once, the person has to create a new account with a new email (and have to create a new email account if they don't have others), and then go to that email to verify.
The person has to change his ip.
He has to delete his cookies if he had the cookie option on. He has to log out or close the browser to clear his sessions, log in to his new account, and vote.

That is the best you can do to avoid flooding.

Excellent idea with having to verify e-mail JD!!! This way they can't just register using just any e-mail just for the sake of gaining access!! They have to apply then reply to the auto emial to become a member then you can limit each email to one vote a day.

Good Job JD.
Thx Andriv.

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Richard QuadlingSenior Software DeveloperCommented:
Just to clear something in my own mind ...

1 - The user comes to the site, wishing to register and enters username/password/email address.

2 - The registration process sends out an email telling them to enter a code (which is logged against with the email address).

3 - The user then has a confirmed account.

They have to login to your site to vote (members only sort of thing).

When they have voted, you could log their account ID against the vote, so you can instantly stop them from multiple voting, or allow them to amend their vote (wouldn't that be great in the real world?!? You don't like your president/prime minister/whoever and you can change your mind retrospectively! Ha!).

That looks quite secure. Did I miss anything?


Richard Quadling.
Thats precisely what you should be doing.

All the best,
It doesn't even have to be a code, if they respond to the e-mail then you know it is there own and the registration is completed.

Now that they are registered they only can have one vote per day for that paticular e-mail address.

Experts-exchange does it as well.  In order for you registration to be completed and before you can gain access you must confirm to the auto-email they send you.

No one can register with a fake e-mail address. Sure people can register many e-mail address for the sake of registering but that is forcing them to do a lot more work to manipulate the system and their program must enter each email address only once. So if they wanted their program to do multiple vote submission they can only do it once for each account.
poll flooding..

one way is to use session to prevent flooding..

Main.php -> to display the poll
// the poll id
$poll_id = 123;

// display the poll ..

SubmitPool.php -> to submit the poll
// take poll_id from session, since there is possibility
// that user hardcode poll_id=xxx in url
if ($HTTP_VAR_SESSION["poll_id"]=="")
   header("Location: Main.php");
   print "Ah.. you never visit the first page!\n";

// assuming poll_id taken from session is 123
// check whether variable $make_choice_already_for_123
// is valued with "yes" or not:
if (${"make_choice_already_for_".$poll_id} == "yes")
   die ("You have participated in poll before!");

// mark current user already participated in poll 123
${"make_choice_already_for_".$poll_id} = "yes";

Ideally you can *ONLY* submit your choice *IF* you have seen the poll. Then we can *assume* that user *MUST* go to Main.php before submit the poll.
You can combine this code with your setCookie to prevent user to reparticipate in poll in the next hours/day (as the session expired). User can delete your cookie though, but this mechanism make flooding harder: you will have to go to first page with new session in order you can participate in poll..
in my last sentence:
you will have to go to first page with new session in order you can participate in poll..

what i mean is:
Someone will have to access the first page (with new session) in order to participate in poll.


I guess it depends on whether you're taking a semi-anonymous poll, or one where the vote is clearly identifiable to an account.

For identifiable - the above work great.

For semi-anonymous, I generally create a composite string, comprising The IP Address, the Date part of the timestamp, and something else (for example, the name of the poll), structured similar to :


By inserting that into a field requiring Unique values, you can limit to one vote per IP per Poll per Day.

This does have some limitations with proxy servers etc., but is pretty effective - I've only ever had a limited number of complaints regarding my semi-anonymous polls using this method.

Best regards,

if you will use date approach you may synchronize it with GMT for you may reside in US, whereas I am in Asia Pacific :) ..


192.168.xxx.xxx?? You are globalsources people! OMG!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.