HTTP_FloodControl Class


The HTTP_FloodControl package can be used to detect and protect a Web site from attempts to flood it with too many requests. It also allows to protect the site from automatic downloading many pages or files from the same IP address, session ID or other unique identifier.

The detection of flood is determine according to a set of parameters indicating the maximal allowed number of requests for the certain time interval. It is possible to set several parameters at once in order to perform more effective protection.

The package uses various storage containers (regular files, DB, MDB, MDB2) to handle counter logs.

License Agreement

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.


Written by Vagharshak Tozalakyan © 2007
This package is based on FloodBlocker class previously created by author for PHP Classes project.

Requirements and Dependences

  • PHP version 5
  • PEAR::Exception
  • PEAR::DB (optional)
  • PEAR::MDB (optional)
  • PEAR::MDB2 (optional)

See downloads section for direct links to dependent PEAR packages.

How To Use

Using HTTP_FloodControl is quite simple. Normally it is necessary to set an appropriate storage container, define limits and call the check() method, which returns false if flooding attempt detected based on supplied limits and unique identifier.

To run the above example it is necessary to have a directory /home/user1/fc_logs with writing permissions for the script.

Normally flood protection code should be written at the top of the script. The code may exist in a separate PHP file which is possible to include on desired pages of a site.

Using File Container

In order to use the File container it is necessary to create a separate directory for counter logs storage. The script must have permission to write files in that directory.

Logs directory may be created somewhere outside the root of documents or an .htaccess file may be used inside that directory to prevent illegal access. Please note, that the garbage collector will delete all files from the logs directory except those started with a dot.

Using Database Containers

First of all it is necessary to create a database table with the following structure:

In the following example MDB2 container is being used. DB and MDB containers may be used the same way, only MDB2 should be changed to the name of appropriate container.

To use an existed database connection, a valid connection handle may be passed to the setContainer() instead of DSN string.

Applying Multiple Limits

The check() method may be called more than one time. For example, in the following listing two different limit arrays are used for subnet address and current session identifier.

Incremental Locking

Let's assume the following code is used for flood control:

If there was more than 30 requests during 1 minute, the access will be blocked for the next 1 minute, so the user can access the page only after 1 minute from the latest over-request. If the user try to access the locked page, the access will be blocked for 1 minute again (incrementally).

Incremental locking is set to false by default.



Here are some external packages you may download:

PEAR: PEAR base classes
DB: database abstraction layer
MDB: database abstraction layer
MDB2: database abstraction layer
MDB2_Driver_fbsql: fbsql MDB2 driver
MDB2_Driver_ibase: ibase MDB2 driver
MDB2_Driver_mssql: mssql MDB2 driver
MDB2_Driver_mysql: mysql MDB2 driver
MDB2_Driver_mysqli: mysqli MDB2 driver
MDB2_Driver_oci8: oci8 MDB2 driver
MDB2_Driver_pgsql: pgsql MDB2 driver
MDB2_Driver_querysim: querysim MDB2 driver
MDB2_Driver_sqlite: sqlite MDB2 driver