Sorry I edited my initial post a few times, you may not have seen the paragraph I added.
Use a hash of the data which your PHP server saves, then reject on repeated attacks. As the IV changes the data should never repeat, and therefore can be ignored. Also use a message ID which is part of the hash. This provides a digital signature as the data, IV, and hash will only be correct on valid data, so if the ID is processed it can be dumped.
CRC was meant to be IV, corrected above.