CiviCRM flood control, use case and implementation

2011-03-30 06:59
Written by

Many modern web applications have a lot of spam deterrent such as Captcha, Bayesian filters, URL, ip detections etc. One example is trying to do 2 consecutive search on the forum and you will get a an error that look like


"Your last search was less than 5 seconds ago. Please try again later."


The concept behind this is flood control is to prevent a webbot (automated script) that is trying to spam and flood the server. 


Sometimes this technique is useful in place of something such as a Captcha system because when someone performs a search on the forum, it would be annoying to have to play the "guess game" with a captcha everytime. Therefore discourages the usage of the searching functionality. 


We are applying the same concept to CiviContribute contribution page in attempt to stop spammers from using the contribution form as a gateway to test fake or stolen credit cards. See the code in the below link (pastebin):


The concept here is very simple: When a contribution form is successfully submitted, we insert a record into civicrm's cache table that contains information on the user's ip address, the contribution form page id and the timestamp of then the form was successfully submitted. We implement a check during the form validation process to see if the same incoming ip address has submitted the form less than the flooding interval (in this case 60 seconds) and give them a gentle error message.


The down side to this approach is that if the user is behind a proxy, the ip address recorded will be the proxy ip address, therefore another person behind the same proxy attempting to submit the form within the interval will see the error.


In any case, this is a rather simple implmentation and can be used on any CiviCRM forms.



Hope you guys find this helpful,