A easy way to prevent security hacks of web data submissions via POST || GET from flood requests or simple Ddos attacks is to use session based submission limits with time intervals.
if ( $_SESSION['count-atmps'] ) {$_SESSION['count-atmps']++;
} else {
$_SESSION['interval'] = time();
$_SESSION['count-atmps'] = 1;
}
if ($_SESSION['count-atmps'] >= 3 && ( time() - $_SESSION['interval'] ) < 100 ) {
die ( 'To many login attempts, come back later.' );
} else {
if ( ( time() - $_SESSION['interval'] ) > 100 ) {
unset ( $_SESSION['count-atmps'] , $_SESSION['interval'] );
}
}
The above allows for three attempts with a 100 second interval. So, after three attempts the user agent cannot attempt a submissions request again until the 100 second time interval mark has past then they are allowed three more attempts.
A good idea might be to increase the time interval by itself on each time interval unset. This would increase the time interval between allowed submissions attempts. The more the user attempts and is timed out the longer each timeout becomes. For instance, ($int_val+$int_val) = 200; or to grow exponentially you can multiply ($int_val*$int_val) = 10000;
You can of course increase the number of allowed attempts and the time interval. To be strict you can always at some point outright ban the IP from any future attempts.