Malicious refresh

Malicious refresh is to constantly refresh the submission page, resulting in a large number of invalid data, such problems in practical applications we often encounter, such as an activity to share points, brushing tickets, brushing red envelopes and so on, how do you prevent these problems? When you are doing an activity of brushing red envelopes, or an activity of sharing points, frequent refreshing will cause database strain, or even cause the system to crash. How do you prevent malicious page refreshes when you encounter them, which means malicious page refreshes when you create links?

Let’s take a look at the principle of preventing malicious page brushing:

1 requires a validation string to be passed between pages; Generate a random string when generating a page. 3 is passed as a mandatory parameter on all connections. We also store this string in session; After clicking the connection or the form to enter the page, determine whether the verification code in the session is the same as that submitted by the user. If so, the verification code will be processed. If not, it will be considered as repeated refresh. 4 After the processing is complete, a verification code is generated for the generation of a new page.


We can prevent malicious refreshes from the session aspect. The code is as follows:

Solution a:

<? php session_start();$k=$_GET['k'];
$t=$_GET['t'];
$allowTime= 1800; // Anti-refresh time$ip = get_client_ip();
$allowT = md5($ip.$k.$t);
if(! isset($_SESSION[$allowT]) {$refresh = true;
    $_SESSION[$allowT] = time();
}elseif(time() - $_SESSION[$allowT] >$allowTime) {$refresh = true;
    $_SESSION[$allowT] = time();
}else{
    $refresh = false;
}
?>
Copy the code

Scheme 2:

<? php session_start();$allow_sep = "2";
if (isset($_SESSION["post_sep"]) {if (time() - $_SESSION["post_sep"] < $allow_sep) {exit("Please don't refresh frequently, take a 2 second break and refresh again."); }else{$_SESSION["post_sep"] = time (); }}else {
    $_SESSION["post_sep"] = time();
}
?>
Copy the code

Solution 3:

<? php session_start();if(! empty($_POST[name])){
   $data = $_POST[name];
   $tag = $_POST[tag];
   if($_SESSION[status]==$tag) {echo $data;
   }else{
     echo "Refresh not allowed!"; }}$v= mt_rand (1100); ? > <form method="post" name="magic" action="f5.php">
    <input type="hidden" name="tag" value="<? =$v? >">
    <input type=text name="name">
    <input type="submit" value="submit"> </form> <? phpecho $v;
$_SESSION[status] = $v; ? >Copy the code

The above code is session-based validation, assuming you refresh the page within 2 seconds, it will call exit() to print a message and exit the current script, so it won’t load the following, so it’s better to put it in the header and let the code execute before loading anything else.

If you put your code in the footer, and you get the whole page loaded except for the last line that says “please don’t refresh too often “, and you put it in the header, that’s a good idea, so if you want to see that, hit F5 twice. Of course the best thing to do is create a new PHP file and call it in header.

There are two advantages of this method: one is that it is convenient to modify the functional code, you do not have to open the header file every time, and you are not afraid of changing the code in other places by mistake; the other is that once there is an error, you can quickly modify and check, and even delete the file directly.

The code is as follows:

<? php include('includes/forbiddenCC.php'); ? > <! DOCTYPE html PUBLIC"- / / / / W3C DTD XHTML 1.0 Transitional / / EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">Copy the code

You can also use cookies in conjunction with sessions, as follows: Store data using files

<? php$c_file="counter.txt"; // File name assignment to variable // If the file does not exist operationif(! file_exists($c_file)) {
        $myfile=fopen($c_file."w"); // create file fwrite($myfile."0"); // Place "0" fclose($myfile); // Close the file}$t_num=file($c_file); // Read the contents of the file into the variableif($_COOKIE["date"]! =Date (Y year m month d date)){// Determine whether the COOKIE content matches the current date$t_num[0] + +; // The original data is incremented by 1$myfile=fopen($c_file."w"); // Open file fwrite($myfile.$t_num[0]); // Write a new value fclose($myfile); // Close the file // re-write the current date to the COOKIE and set the COOKIE validity to 24 hours setcookie("date".Date (Y year m month d date),time()+60*60*24);
    }
?>
Copy the code

This is reading the data

<? PHP // Uses text to store dataif($_SESSION[temp]=="") {if(($fp=fopen("counter.txt"."r")) = =false) {echo "Failed to open file!";
        }else{// Read the data in the file$counter=fgets($fp, 1024); // Close the text file fclose($fp); // The counter increases by 1$counter+ +; // Open the text file in write mode$fp=fopen("counter.txt"."w"); // Add 1 to the new statistics fputs($fp.$counter);
            fclose($fp); } // Read statistics from a text fileif(($fp=fopen("counter.txt"."r")) = =false) {echo "Failed to open file!";
        }else{
            $counter=fgets($fp, 1024); fclose($fp); // Outputs the number of accessesecho "Digital counter:" .$counter; } // After login,$_SESSIONThe value of [temp] is not empty. Here$_SESSION[temp] gives a 1$_SESSION[temp]=1;
    }else{
    
        echo "<script>alert("You cannot refresh this page!!"); history.back(); ";
    }
?>
Copy the code

The counter. TXT file is the file that records the login number in the same directory.

$counter=fgets($fp,1024); A method for reading numeric values from a file (may include decimal values)