How can i limit the form request according to ip of the user?

[kkalgidim]

Hi,

I have a form that writes in db.

I am trying to find a way to limit the guest user from ip address.

2 Form request daily. When User try to submit 3. post it will be blocked.

Is there any way to do it?

[poljpocket]

Hi, if you really just want to limit by the IP address (off-topic but this is a bad idea!) of your visitors, I guess a simple approach would be to add the IP address alongside a timestamp of the form submission to your database table. Before you're adding submissions, you can then do something like this:

SELECT COUNT(*)
FROM form_submissions
WHERE date_created >= DATE_SUB(NOW(), INTERVAL 1 DAY)
AND remote_ip = ':ip';

Whenever that result is 2 or higher, block the submission. Does that help?

Edited August 6 by poljpocket

[kkalgidim]

Thanks for your approach.

My project creates a trade page when submit form.  After 24 hours pages deleted.

So i add ip field on trade template (every time when form submitted saved session ip to trade page) then count trade pages with that ip. 

$ip=$session->getIP();
$submitCount = $pages->count("template=trade, userip=$ip");?>

just add conditon

if ($input->post->btn_submit){
			if($submitCount<5){
                $p = new Page();
				$p->of(false);
				$p->template = 'trade'; //or whatever your template is called
				$p->parent = wire('pages')->get('/trades/'); //or whatever the parent page is called 
				$p->title = 'Form submission from ' . date('Y-m-d H:i');
				$p->robloxusername = $input->post->text('robloxusername');
				$p->userip = $session->getIP();
              }
             if($submitCount>=5) { 
				$message = "You have a total of 5 trades. You've reached your daily limit. Try again when your trades are deleted within 24 hours.";
				echo "<script type='text/javascript'>alert('$message');</script>"; 
			}
      }

because trades are deleted after 24 hours i dont need to control the time for ip address.

 

Thanks for your help.

[poljpocket]

Good approach. Didn't know if you actually used PW pages for the submissions, so I stuck to a direct SQL query. But of course that works this way.

May I ask why you are limiting this by IP address?

First of all, like that you are locking out all users behind one IP address. Means, that if a large number of your visitors is working from a private network with NAT, they will all have the same public IP and thus combined, they all can only post five trades per day.

Second, if you want to really limit the trades one single user can do, the IP doesn't help you. I can simply spin up my VPN and have 5000+ IP addresses a click away. All of a sudden, I can post 25000 trades per day and you wouldn't even know! And then, if another user using the same VPN provider tries to post his own legitimate trade, they can't because the IP has been used up already.

That's why I added the bracket with bad idea in my last post. You should use user accounts with logins and email verification to really get closer to managing maximum trades per user per day. Luckily, ProcessWire has you covered with that.

[poljpocket]

Here's a good stack overflow article discussing exactly what I am trying to say: Is it reliable to use the IP address to identify a user on your website? - Stack Overflow

[kkalgidim]

You are totally right about what you said.

My project is about roblox game item trading system. So my visitor target is between 8 - 15 years old.

Probably most of them uses their parents phone or laptops.

Visitor information  not important for me. I dont need any email address

Sytem must be quick and easy. wihout registration. Also the trade will be deleted in 24 hour. 

If bad guy try to hack the system there is nothing to lose for me.  Also there is nothing the hacker needs in the system.

I install it again and run the project.

But probably you right , my ip approach is sucks but easy to use like Windows ?