protecting post and get?

[ertaboy356b]

Hi, I'm currently using AJAX through JQUERY.

Can someone please show me how to protect your post and get query from spams?

like for example, I have this code:

$.post("xml.php",{var:var},function(xml) {
   $("name",xml).text();
   alert("name");
})l

then can just modify this code like this to create a spam:

function evilSpam ()
$.post("http://www.mysite.com/xml.php",{var:"spam spam spam"},function(xml) {
   $("name",xml).text();
   alert("name");
});
}

setTimeout(evilSpam(),100);

so basically, it will spam the site with unnecessary data and will somehow lag the server. How do I avoid this kind of spam??

How do I authenticate that the requests are from my site??

 

[GetTriggerUnit-]

function evilSpam ()
$.post("http://www.mysite.com/xml.php",{var:"spam spam spam"},function(xml) {
   $("name",xml).text();
   alert("name");
});
}

setTimeout(evilSpam(),100);

First, you can't do that. AJAX does not allows to do cross domain requests. But there are indeed ways to bypass that.

What you should do is catch the ip of the request sender and limit it's number of entries by a quantity of times. Like 1 entry every 15 minutes. Even TH uses it. You can't search twice in 30 seconds.

You could store the ip into MySQL for instance in a table with 2 column: time, ip.

 

[Lyerae]

You don't need to be across another domain to execute AJAX requests. I can, right now, open up my JavaScript console and do whatever I want, as it's still considered the same domain. Example,

setInterval(function() {
	$.post('http://api.jquery.com/index-blank.html', 'hai gais', function(data) {
		console.log(data);
	});
}, 100);

Head over to the jQuery website (since they already have jQuery linked to, obviously, and since they have that page set up as a demo, I'm using them as an example), and run that, and you'll get the proper response.


Anyways, the best way to protect an AJAX request is to not use them. Failing that, you could prevent more than X amount of requests coming from the same domain within X amount of time.

 

[UndeadDragon]

I think the idea of tracking the IP would be good and a faster way than using MySQL to do it, would probably be to either use cookies or sessions. It would save the need of constantly purging the database too.

 

[Magentix]

I think the idea of tracking the IP would be good and a faster way than using MySQL to do it, would probably be to either use cookies or sessions. It would save the need of constantly purging the database too.

Because people who are exploiting your AJAX handlers through a console don't disable that which may track them

 

[UndeadDragon]

Because people who are exploiting your AJAX handlers through a console don't disable that which may track them

That's a fair point, I guess

 

[GetTriggerUnit-]

You dont have to use mysql. You can use normal IO. Like writing json to a file. using json_decode, json_encode to handle everything.