Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I've built a simple API. When a user posts a request, a model is created, and a bunch of related models are attached to it, some are detached from the user. The problem though is that I can always game the server using curl.
I'm looking for a couple of options to prevent duplicate requests on the server side. I've yet to find any reasonable solution.
Any help is appreciated.
Cheers, Mattew
First thing that comes to mind is some kind of function that does lock a request to your API? For instance if one would POST to /user you can register this in a table stating that POST-user for API key 123456 is currently being executed. At the beginning of the method that creates the User you can check your database if a record is found for the API key and action they try to do. If a record is found: don't execute yet.
Seems locking is the correct solution. I was also wondering about using JWT and simply refreshing on each request, but I think that might have the same issues. I guess I can make a record in redis if there isn't one, and then once the request is complete, delete that record. I think that will actually work. Then simply send a error response if a request is being processed.
I did a locking script once using simple files. Only thing I had to do was create a textfile (123456_Post-user.lck) and do a file_exists check to see if the action was allowed. Cronjob locking can be achieved the same way.
The solution - https://github.com/AltThree/Locker/
Alt Three's locker package allows you to lock certain routes based on the session id. Just add the middleware to the routes you need to protect, and you're set to go. Works out of the box with no configuration.
Please or to participate in this conversation.