CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Discussion (deprecated) »
  • Feature Requests and Suggestions »
  • CiviContribute Suggestions »
  • Flooding control for CiviContribute
Pages: [1]

Author Topic: Flooding control for CiviContribute  (Read 3724 times)

xcf33

  • I post frequently
  • ***
  • Posts: 181
  • Karma: 7
  • CiviCRM version: 3.3.2
  • CMS version: Drupal 6.19/6.20
  • MySQL version: 5.x
  • PHP version: 5.2.6
Flooding control for CiviContribute
March 28, 2011, 11:13:12 am
We have had occasions where people who stole credit card information tries to using the contribution form to test out if the stolen credit card was still valid. They build automated script to fill out and submit the contribution form. It results in us having to go to the payment processor and refund all the false contributions.

I'm wondering similar to a forum flooding control, can we check for if the same ip address has submitted certain contributions in a short amount of time and see if it is an automated attempt.


If this feature already exists, please ignore it.



Thanks,


Cheers!

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Flooding control for CiviContribute
March 28, 2011, 03:08:30 pm

For now might be easiest to do this with a drupal module. If i had to guess there might be a drupal module for this already that checks that a certain 'q' variable in drupal cannot be hit repeatedly by the same IP in a certain period

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

xcf33

  • I post frequently
  • ***
  • Posts: 181
  • Karma: 7
  • CiviCRM version: 3.3.2
  • CMS version: Drupal 6.19/6.20
  • MySQL version: 5.x
  • PHP version: 5.2.6
Re: Flooding control for CiviContribute
March 29, 2011, 06:51:50 am
I've searched a bit and so far not much luck. In addition, wouldn't the flood control be triggered on a POST on /civicrm/contribute/transact rather than just checking the q path?

I'm thinking about two ways of doing it.

1. create or insert time information from the PostProcess hook on contribution form that records session, ip address and time when it performed the HTTP POST

2. use some sort of session token


I'm leaning towards a non-database solution but not sure how to implement a session based mechanism.


Any direction would be appreciated!


Cheers

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Flooding control for CiviContribute
March 29, 2011, 07:22:18 am

hey chang:

the post variable also contains the 'q' param in $_REQUEST / $_GET, so u can use that. The main issue is, it does not contain the 'id' of the transaction page (and u may or may not want this restricted per page)

the session token seems good, but i suspect the smart hackers out there will clear out cookies before every transaction etc. Keeping it in the DB table is probably a better idea. I suspect u can reuse the cache tables for that (with a different path)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

xcf33

  • I post frequently
  • ***
  • Posts: 181
  • Karma: 7
  • CiviCRM version: 3.3.2
  • CMS version: Drupal 6.19/6.20
  • MySQL version: 5.x
  • PHP version: 5.2.6
Re: Flooding control for CiviContribute
March 29, 2011, 07:33:40 am
The cache table seems like a terrific idea.

On the idea of restrict based on contribution page id, it is a good idea. It's possible to add the contribution page it in the build_form hook so it gets posted, correct?

I'm going to check submission interval in the civicrm_hook_validate hook and insert the cache record in the post process hook
« Last Edit: March 29, 2011, 07:39:01 am by changx (xcf33) »

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Flooding control for CiviContribute
March 29, 2011, 03:33:08 pm

yes, u can get the contribution page id in the postProcess

why dont u do it all in the buildQuickForm hook? if a submissions has happened already in the required interval then reject it at the very beginning of the process

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: Flooding control for CiviContribute
September 12, 2011, 03:11:19 pm
Any working code for this yet? I need this too, but prefer not to reinvent the wheel if I can avoid it.
Try asking your question on the new CiviCRM help site.

Eileen

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4195
  • Karma: 218
    • Fuzion
Re: Flooding control for CiviContribute
September 12, 2011, 04:41:42 pm
Depending on your payment processor they might provide support for it. I know eWay had some anti-fraud features which we made available quite easily to Civi (basically you can configure it to reject transactions based on certain criteria )
Make today the day you step up to support CiviCRM and all the amazing organisations that are using it to improve our world - http://civicrm.org/contribute

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: Flooding control for CiviContribute
September 12, 2011, 05:38:17 pm
Not auth.net, unfortunately, the best they can do is throttle number of transactions per day (globally, not per user). Which is a bad solution for obvious reasons.
I like dlobo's idea of using the cache table, and specifically throttling #post. It seemed elegant (lightweight and unobtrusive). I might just write a simple script for that if I don't hear back from changx.
« Last Edit: September 12, 2011, 08:42:52 pm by colemanw »
Try asking your question on the new CiviCRM help site.

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: Flooding control for CiviContribute
September 12, 2011, 10:13:22 pm
Thanks changx for sharing your code.
It seems like this feature is important enough to warrant adding to core. Flood control is a sensible thing that most people should want -- it can prevent your organization from getting really screwed.

Here's my version -- much shorter than changx's because it uses the Drupal cache functions. It limits transactions to 2 per day from a single IP.

Code: [Select]
/**
 * Implmentation of hook_civicrm_postProcess
 */
function hook_woolman_civicrm_postProcess($formName, &$form) {
  // Record contribution submissions by IP address, store for 24 hours
  if ($formName == 'CRM_Contribute_Form_Contribution_Confirm') {
    $ip = ip_address();
    $n = 1;
    if (($c1 = cache_get('civicontribute_flood_1_' . $ip)) && time() < $c1->expire) {
      ++$n;
    }
    cache_set('civicontribute_flood_' . $n . '_' . $ip, 1, 'cache', strtotime('+1 day'));
  }
}


/**
 * Implmentation of hook_civicrm_validate
 */
function hook_civicrm_validate($formName, &$fields, &$files, &$form) {
  // Validate contribution pages for flood control
  // If 2 entries from this IP address exist, reject the form submission
  if ($formName == 'CRM_Contribute_Form_Contribution_Main') {
    $ip = ip_address();
    if ((($c1 = cache_get('civicontribute_flood_1_' . $ip)) && ($c2 = cache_get('civicontribute_flood_2_' . $ip)))
      && time() < $c1->expire && time() < $c2->expire) {
      watchdog('civicontribute_flood', 'Prevented contribution form submission from ip: ' . $ip);
      return array('qfKey' => 'Sorry, for security reasons we do not allow more than two credit card transactions per day. Please try again later.');
    }
  }
  return TRUE;
}
« Last Edit: September 12, 2011, 10:36:03 pm by colemanw »
Try asking your question on the new CiviCRM help site.

jcm55

  • I post occasionally
  • **
  • Posts: 96
  • Karma: 14
Re: Flooding control for CiviContribute
October 21, 2014, 07:59:13 am
Did anything like this actually make it into core?  A bot was testing CC numbers against our contribute page and got our authorize.net account suspended for 30 minutes this morning.

joanne

  • Administrator
  • Ask me questions
  • *****
  • Posts: 852
  • Karma: 83
  • CiviCRM version: 4.4.16
  • CMS version: Drupal 7
Re: Flooding control for CiviContribute
October 21, 2014, 03:37:38 pm
I don't think it is in core and we actually wouldn't want it there.

We have over 1000 volunteers Australia wide and any one of them could want to submit more than two memberships at any time. (In reality, only a couple of people do so each month, but we could never predict which two people are the ones for any particular month.)

jcm55

  • I post occasionally
  • **
  • Posts: 96
  • Karma: 14
Re: Flooding control for CiviContribute
October 22, 2014, 08:13:16 am
Yes, agreed -- if added to core, it would need to have configuration options.  Enable/disable, rate, and interval.  So you could set the limit to 5 per hour, 10 per day, 50 per week, or whatever is appropriate for your org.
« Last Edit: October 22, 2014, 08:17:49 am by jcm55 »
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Discussion (deprecated) »
  • Feature Requests and Suggestions »
  • CiviContribute Suggestions »
  • Flooding control for CiviContribute

This forum was archived on 2017-11-26.