I got a nice little FORM for the user to fill-out, then when it's sent, my PHP program adds their entry to my database. How do I prevent automated submissions? I'm still new to sessions, so I will need a few working examples to explain sessions better to me.... I've heard, you should add their session id in a hidden INPUT element, so when the form submits, then it checks if the session exists or something. I'm a total newbie to sessions, so I'll need a full explaination. How do you assign a session to a user? How does it end? Are they produced randomly? Any simple working examples would be greatly appreciated -- thanks.

Sessions won't help automated submissions, I can create a PERL script that fills out a form just like a human being. It's quite easy. The only way to prevent automatic form submissions (if I'm understanding you right), is to make a random graphic and ask the user to identify it (like a number or a letter). You've probably seen them throughout your web career.

Hmm... How about a flood control or maximum submission counter? Would that be better to do with sessions or IP addresses? Let's say I want a specific computer to only be allowed to submit 5 times per day. How would I go about this cas' people do have dynamic IP address so I wouldn't be able to block all their IP addresses for 24 hours even if they did submit 5 times in one day. Would sessions have any power here -- I got no idea how sessions work..... Any ideas, any?

Hm. IP counting should be fairly accurate. The thing about sessions is that a lot of time you can always get a new sessionid...which isn't good for your case. I don't know how to do it other than IP counting off the top of my head. That can be spoofed too, but it's more trouble than it's worth most times.

Other than IP counting i think cookies are the only other way, neither methods are 100% but a mix of both would definatley minimise the amount of submissions over 5

Also one thing that was not touched upon is that sessions expire after the session is closed or the browser is closed. Therefore if you wanted to make sure that a user hasn't submitted a form any number of times within a 24 hour time period sessions would not be the way to go.

Cookies and/or IP logging as was mentioned above is the way to go for sure.

force a preview button, so it goes to a preview page and then it can be submitted. like the comment forms in textpattern