I recently found a huge security problem with my PM system that allows users to send a message as much as they want with a for loop in the address bar. Someone put this into the address bar:
javascript:for(x=0;x<10000;x++){ $('#compose form').submit(); }
And the message was sent 1000 times to me and my inbox was full of the same message and my database was so full that phpMyAdmin was being very laggy.
My question is, how can I prevent this? This is a major issue.
Also, the form is submitted with AJAX.
Edit:
I use PHP, so how can I prevent this? Like how could I make it to where a message can only be sent every 5 minutes or so and if they submit more than one within 5 minutes it will display an error (or not show any user feedback at all and just stop it from being submitted)?
There is one obvious way to fix it and the problem lies not on the client side – it lies on the server side.
Your server script should not allow sending messages too often – eg. often than, say, once each 10 minutes. To do it you can use session mechanism on the server side and save the information when the user sent the email. If user has not sent an email, you should also save that information in session – to distinguish people with session enabled from people with session disabled (and you should block the latter from sending emails at all).
The way session should be implemented (the specific code) depends on the language you use for server side scripting (PHP, Python, JSP etc.).