Hi all. Last week i had been DDOS attacked. There was 3 million requests in 10 minutes on category pages. Of course server was down. They used ?items_per_page=96000 at the end of the link.
Any idea how to restrict using this? For example when they will try to access more than 48 - they will be redirected to main page or to main category.
THanks
Hello,
This check should and will be added for sure by default by CS-Cart team and meanwhile to prevent this you can simply use the hook “'get_products” to add the code:
$product_steps = fn_get_product_pagination_steps( Registry::get('settings.Appearance.columns_in_products_list'), Registry::get('settings.Appearance.products_per_page') );
$max_items_per_page = max($product_steps);
if (!empty($params['limit'])) {
$params['limit'] = (int) $params['limit'] > $max_items_per_page ? $max_items_per_page : $params['limit'];
} elseif (!empty($params['items_per_page'])) {
$params['items_per_page'] = (int) $params['items_per_page'] > $max_items_per_page ? $max_items_per_page : $params['items_per_page'];
}
As example I will use the add-on “My Changes”
File: app/addons/my_changes/init.php
<?php
defined('BOOTSTRAP') or die('Access denied');
fn_register_hooks(
'get_products'
);
File: app/addons/my_changes/func.php
function fn_my_changes_get_products( &$params, $fields, $sortings, $condition, $join, $sorting, $group_by, $lang_code, $having)
{
if (AREA == 'C'){
$product_steps = fn_get_product_pagination_steps( Registry::get('settings.Appearance.columns_in_products_list'), Registry::get('settings.Appearance.products_per_page') );
$max_items_per_page = max($product_steps);
if (!empty($params['limit'])) {
$params['limit'] = (int) $params['limit'] > $max_items_per_page ? $max_items_per_page : $params['limit'];
} elseif (!empty($params['items_per_page'])) {
$params['items_per_page'] = (int) $params['items_per_page'] > $max_items_per_page ? $max_items_per_page : $params['items_per_page'];
}
}
}
I hope the above is useful to you.
Updated: March 29, 2023
That’s a nice modification you have there! 
I want to offer an alternative in case someone ever wants to apply the limits to every entity that might be affected by the items_per_page parameter:
This one example will also use the My changes add-on.
File: app/addons/my_changes/init.php
<?php
if (!defined('BOOTSTRAP')) { die('Access denied'); }
fn_register_hooks(
'before_dispatch'
);
File: app/addons/my_changes/func.php
<?php
use Tygh\Enum\SiteArea;
if (!defined('BOOTSTRAP')) { die('Access denied'); }
function fn_my_changes_before_dispatch()
{
if (SiteArea::isStorefront(AREA)
&& isset($_REQUEST['items_per_page'])
&& (int) $_REQUEST['items_per_page']
) {
if ($_REQUEST['items_per_page'] > 96) {
$_REQUEST['items_per_page'] = 96;
}
} else {
unset($_REQUEST['items_per_page']);
}
}
This will limit the items per page to a maximum of 96 for all entities that can use this parameter.
I didnt’ realize one could go more than 96. Limiting it to no more than 96 should be default.
Yes, I agree with you and have created the new feature request for the developers on this case.
Thanks everyone for helping me. Awesome community.