Making a form to add users that can't be misused.

Travis86 · 12-09-2004, 11:00 AM

I'm trying to create a program that will add a user from an HTML form. However, I don't want someone to be able to create a script that will fill the database with users.

Making a lag of a second, or so, will cut down on the quantity of users that somone can add, but that's not really a solution.

Making it so one IP can't add more than one user every so often might work, but can someone spoof their IP and add as many as they want? Since this is over TCP, which has a three-way handshake, would they have to actually be at that IP or could they spoof it?

How should I do this?

Thanks.

csfalcon · 12-09-2004, 11:13 AM

is this problem a big concert?

The best way is to require email confirmation (one email for only one account).

Travis86 · 12-09-2004, 12:02 PM

I was just wanting to do it the "right way."

The e-mail way is a good idea, but someone could still fill the database with users waiting to be confirmed.

csfalcon · 12-09-2004, 12:39 PM

you can confirm the email first, then allow them to create account. But you always have to store some sort of information.

use a combo of IP, email and other methods.