PHP请求垃圾邮件防范机制
我正在构建一个模型视图控制器 Web 应用程序,并且我想构建一个请求垃圾邮件机制,为什么?让我简单地解释一下:
我们有一个ajax控制器,每个用户输入都是通过ajax接收的,在我的Web应用程序中没有直接执行$_POST。
让我们想象一下 Ajax 控制器的一些操作,我们希望在其中添加垃圾邮件预防机制:
class AjaxController{
private function setPrevention($interval){
$latestActionRequest = $_SESSION['requests'][$this->action];
if($prevention === null){
$_SESSION['requests'][$this->action] = array('latest' => microtime(), 'interval' => $interval
} else {
// Calc difference here, and check if the interval was within range, else
// the user was requesting the action method to quickly.
}
}
public function _postComment(){
$this->setPrevention(1000);
// Apply validation, on the $_POST array, insert the to database.
}
}
因此,我们有一个发布评论的操作,我们只想允许用户每秒发布评论,因此我们应用一个非常基本的方法我们会议上的预防机制。
检查setPrevention方法中的注释。我有两个问题,我的第一个问题是,这个机制是个好主意吗?或者有其他更好的方法来构建这个吗?
第二个问题是,如何检查最新的请求是否在间隔范围内?和 microtime - microtime 我得到以秒为单位的差异,但有些操作我想应用 500 毫秒的间隔。
到目前为止我得到了什么:
$_SESSION['requests']['postComment'] = array('latest' => microtime(true), 'interval' => 1000);
$difference = ($_SESSION['requests']['postComment'] - microtime(true));
此时 $difference 返回 float(106.984388113) (等待 106 秒) 但我们想要得到微时间差,因为我们的间隔是 1000(是 1 秒而不是 1000)
我希望我的问题很清楚,谢谢您的帮助。
I'm building a model view controller web application and I want to build a request spam mechanism, why? Let me explain in short detail:
We got ourselves an ajax controller, every user input is received through ajax, no direct $_POST is done in my web application.
Let's imagine a few actions of the Ajax controller where we want to put a spam prevention mechanism on:
class AjaxController{
private function setPrevention($interval){
$latestActionRequest = $_SESSION['requests'][$this->action];
if($prevention === null){
$_SESSION['requests'][$this->action] = array('latest' => microtime(), 'interval' => $interval
} else {
// Calc difference here, and check if the interval was within range, else
// the user was requesting the action method to quickly.
}
}
public function _postComment(){
$this->setPrevention(1000);
// Apply validation, on the $_POST array, insert the to database.
}
}
So we got an action to post a comment, we only want to allow the user to post a comment each second, so we apply a very basic prevention mecanisch in our session.
Check the comment in the setPrevention method. I have got 2 questions, my first question is, is this mechanism a good idea? Or are there alternative better ways to build this?
Second question is, how do I check if the latest request was within the interval range? With
microtime - microtime I get the difference in seconds, but there are actions where I want to apply an 500 ms interval.
What I got so far:
$_SESSION['requests']['postComment'] = array('latest' => microtime(true), 'interval' => 1000);
$difference = ($_SESSION['requests']['postComment'] - microtime(true));
At this point $difference gives back float(106.984388113) (waited 106 seconds)
But we want to get the microtime difference because our interval is 1000 (which is 1 second not 1000)
I hope my question was clear, thanks for help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
第一个答案应该有助于亚秒计时。
microtime(true)响应编辑:小数部分是亚秒计时。 .984 是您在精度方面寻找的零件。 .500 是您的 500 毫秒。我建议根据该浮点值设置间隔。
您可以将差异乘以 1000,但如果您想要调整到大于或小于毫秒的精度,那就会更加混乱。我建议您以后尽可能轻松地进行调整。
至于垃圾邮件预防机制,有很多选择,但它们将取决于您的应用程序需求的具体情况。
我可以给您的最佳建议是以某种方式对其进行抽象,以便它可以获得比您认为现在可能需要的更多的有关 AJAX 调用的信息,并构建一个现在可以运行的简单系统并记录有关审核请求的信息。
垃圾邮件防护的最大问题是阻止合法用户并骚扰他们。因此,您能做的最好的事情就是让您自己或其他开发人员将来更容易更换您的机制。您还需要拥有请求日志,以便能够确定垃圾邮件防护是否阻止了哪些类型的请求。
The first answer should help with the sub second timing.
microtime(true)In response to the edit: The decimal portion is the sub second timing. the .984 is the part you're looking for in terms of precision. .500 is your 500 milliseconds. I would recommend setting up your intervals in terms of this float value.
You could multiply the difference by 1000, but if you ever want to adjust to a precision greater or less than milliseconds it'll be even more confusing. And I propose making it as easy to adjust this later as you can.
As for the mechanism for spam prevention there are a lot of options, but they will depend on the specifics of what your application needs.
The best advice I could give you for that is to abstract it in some way that it can get more information about the AJAX call than you think you may need now and build a simple system that works now and log the information about requests for review.
The biggest problem with spam prevention is preventing legitimate users and annoying them. So the best thing you can do is make it easier for yourself or another developer to swap out your mechanism in the future. You also need to have logs of the requests to be able to determine what kinds of requests are being stopped or not by the spam prevention.
如果您使用
microtime(true)而不仅仅是microtime(),它将返回一个浮点数而不是字符串。使用浮点数,您将能够计算自原始请求以来经过的毫秒数。确保使用
microtime作为开始时间和结束时间。至于另一个问题,这绝对是限制请求数量的一种方法。可能还有其他方法,但这个问题并不是 Stack Overflow 的真正设计目的。这是主观的。
If you use
microtime(true)instead of justmicrotime(), it'll return a float instead of a string. Using the float, you'll be able to calculate the number of milliseconds elapsed since the original request.Make sure to use
microtimefor both the start and end time.As for the other question, this is definitely one way you can limit the number of requests. There may be other ways too and that question isn't really what Stack Overflow was designed for. It's subjective.