[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


flood detection

Posted on 2002-03-23
Medium Priority
Last Modified: 2012-05-04
I have a php poll script in my website, and there's some idiot that uses some Perl/Java/script kiddie tool to post the script in a loop and manipulate the poll results.
How can I detect his flood through the script and ignore the post?
Until now the script would plant a cookie when you vote and if you try to vote again it would check if the cookie exists and if so it will ignore the vote, because the flooder uses some tool and not a browser the cookie is not planted...
The flooder uses more than one shell account to run his posting script so the IP's are different.

What can I do to detect the flooder and ignore him?
Question by:socket9001
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2

Accepted Solution

dkjariwala earned 1200 total points
ID: 6890563
There can not be 100% fullproof way.
But few things you can try,

Ok, users need to create an account with an email not in the database. The person also has to verify this email to become a member.
You need to be a member to vote in the poll.

The poll script logs ip, and it won't allow voting from the same ip for next 10 minutes. [You have to do this cause IP doesnt remain same all the time for users.]

It also uses cookies.

So to vote more than once, the person has to create a new account with a new email (and have to create a new email account if they don't have others), and then go to that email to verify.
The person has to change his ip.
He has to delete his cookies if he had the cookie option on. He has to log out or close the browser to clear his sessions, log in to his new account, and vote.

That is the best you can do to avoid flooding.


Expert Comment

ID: 6891808
Excellent idea with having to verify e-mail JD!!! This way they can't just register using just any e-mail just for the sake of gaining access!! They have to apply then reply to the auto emial to become a member then you can limit each email to one vote a day.

Good Job JD.

Expert Comment

ID: 6891963
Thx Andriv.

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 40

Expert Comment

by:Richard Quadling
ID: 6894427
Just to clear something in my own mind ...

1 - The user comes to the site, wishing to register and enters username/password/email address.

2 - The registration process sends out an email telling them to enter a code (which is logged against with the email address).

3 - The user then has a confirmed account.

They have to login to your site to vote (members only sort of thing).

When they have voted, you could log their account ID against the vote, so you can instantly stop them from multiple voting, or allow them to amend their vote (wouldn't that be great in the real world?!? You don't like your president/prime minister/whoever and you can change your mind retrospectively! Ha!).

That looks quite secure. Did I miss anything?


Richard Quadling.

Expert Comment

ID: 6894434
Thats precisely what you should be doing.

All the best,

Expert Comment

ID: 6894448
It doesn't even have to be a code, if they respond to the e-mail then you know it is there own and the registration is completed.

Now that they are registered they only can have one vote per day for that paticular e-mail address.

Experts-exchange does it as well.  In order for you registration to be completed and before you can gain access you must confirm to the auto-email they send you.

No one can register with a fake e-mail address. Sure people can register many e-mail address for the sake of registering but that is forcing them to do a lot more work to manipulate the system and their program must enter each email address only once. So if they wanted their program to do multiple vote submission they can only do it once for each account.

Expert Comment

ID: 6901845
poll flooding..

one way is to use session to prevent flooding..

Main.php -> to display the poll
// the poll id
$poll_id = 123;

// display the poll ..

SubmitPool.php -> to submit the poll
// take poll_id from session, since there is possibility
// that user hardcode poll_id=xxx in url
if ($HTTP_VAR_SESSION["poll_id"]=="")
   header("Location: Main.php");
   print "Ah.. you never visit the first page!\n";

// assuming poll_id taken from session is 123
// check whether variable $make_choice_already_for_123
// is valued with "yes" or not:
if (${"make_choice_already_for_".$poll_id} == "yes")
   die ("You have participated in poll before!");

// mark current user already participated in poll 123
${"make_choice_already_for_".$poll_id} = "yes";

Ideally you can *ONLY* submit your choice *IF* you have seen the poll. Then we can *assume* that user *MUST* go to Main.php before submit the poll.
You can combine this code with your setCookie to prevent user to reparticipate in poll in the next hours/day (as the session expired). User can delete your cookie though, but this mechanism make flooding harder: you will have to go to first page with new session in order you can participate in poll..

Expert Comment

ID: 6901856
in my last sentence:
you will have to go to first page with new session in order you can participate in poll..

what i mean is:
Someone will have to access the first page (with new session) in order to participate in poll.



Expert Comment

ID: 6901941
I guess it depends on whether you're taking a semi-anonymous poll, or one where the vote is clearly identifiable to an account.

For identifiable - the above work great.

For semi-anonymous, I generally create a composite string, comprising The IP Address, the Date part of the timestamp, and something else (for example, the name of the poll), structured similar to :


By inserting that into a field requiring Unique values, you can limit to one vote per IP per Poll per Day.

This does have some limitations with proxy servers etc., but is pretty effective - I've only ever had a limited number of complaints regarding my semi-anonymous polls using this method.

Best regards,


Expert Comment

ID: 6901949
if you will use date approach you may synchronize it with GMT for you may reside in US, whereas I am in Asia Pacific :) ..


192.168.xxx.xxx?? You are globalsources people! OMG!!

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question