Basic setup of my site is: user enters a message on the homepage, hits enter and the message is sent though a AJAX request to a file called like.php where it echo's a link that gets sent back to the user.

I have made the input disable when the user presses enter, but there's nothing stopping the user from just constantly flooding like.php with POST request and filling up my database.

Someone here on SO told me to use a token system but didn't mention how. I've seen this being done before and from what I know it is effective.

The only problem I have is how will like.php know it's a valid token? My code is this at the moment:

$token = md5(rand(0, 9999) * 1000000);

and the markup:

<input type="hidden" name="token" value="<?php echo $token ?>" />

Which will send the token to like.php through POST. But how will like.php know that this is a valid token? Should I instead token something that's linked to the user? Like their IP address? Or perhaps token the current minute and check that it's the same minute in like.php...

Any help on this amtter would be greatly appreciated, thanks. :)