AJAX + PHP voting - stop abuse

Hey guys,

I am using AJAX + PHP to support a rating system (rate up or down) and a MySQL database. Right now I have the INSERT query fail at the MySQL database level if it should fail (no duplicate entry votes, user is allowed either one up or down vote).

Right now the user can keep pressing vote up and nothing will happen, it will send HTTP POST to the database and the database will reject it. What is the best way to not allow a user to abuse this by spamming the vote up button? Because can’t that lead to DOS attacks if a bunch of users continuously click the vote up or down button causing the MySQL database to get a bunch of insert query requests? Ajax seems to make it so easy to flood. Or am I wrong? How can I prevent this?

Thanks guys!

No matter what you do in the browser, you can still get flooded. But the least you can do is disable the voting button after a successful vote, which is easy to do.

Will that require PHP checking MySQL database for duplicate before page loads every time it loads for a duplicate vote and then if it already exists then disable the button? So no matter what it requires a MySQL query every time

Send a response that the page is not found or user does not have access if they have already voted. Even just a regular page that states they may only vote once.

In theory the link shouldn’t exist to the form in the first place. So in reality the only way a user would be able to get to that page had they already voted would be to hack the URL it seems. In that case yes, run a query to check if they have already voted and handle the exception as appropriate.

What do you mean by a link shouldn’t exist to the form? The button to vote is on the page and should be visible. They click it and an AJAX HTTP request is sent to the PHP file that processes adding a vote.

Well then the form should not exist on that page or be replaced with a message stating the user has already voted and may only vote once, same concept.

Gotcha. Thanks a lot

Use Tokens to restrict users - May be you can expire token after a day. Depends on your need or simple idea Only allow one vote per IP and/or session.