Solved

check referring page

Posted on 2011-09-06
10
456 Views
Last Modified: 2013-12-25
I have a sweepstakes landing page with a quiz. To enter the sweepstakes users must complete the quiz and at the end there is a link to an entry form (which takes them to the form page).  They can only enter once per day. On the form, if they choose, they can click "remember me" so the form fields will auto-populate on future visits (cookies). How can I...

1. On future visits, make sure they do not bypass the quiz by going directly to the form page (bookmarking it, etc).

2. limit them to only one entry per day (check the db and if there is already an entry with their email dated today - give them a "sorry" message)

p.s. I do not want to use login for this. Not sure if this matters, but the quiz is in both Flash (for web) version and Javascrip (for mobile).

Also, I am only a lightweight programmer so prefer the simplest solution. This site uses PHP and MySQL.

thanks you.
0
Comment
Question by:web5dev7
  • 5
  • 3
  • 2
10 Comments
 
LVL 82

Expert Comment

by:leakim971
ID: 36492476
You need to manage user session, check this good article : http://www.sitepoint.com/users-php-sessions-mysql/
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 36493067
If this has any economic value to you, consider hiring a heavy-weight professional programmer.  The potential for catastrophic error is arbitrarily large.

That said, you might want to employ "flash cookies" since most casually knowledgeable hackers will defeat conventional cookies in a matter of moments.
http://en.wikipedia.org/wiki/Local_Shared_Object
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/

You can add a level of security to your cookies with something like the code snippet.  
<?php // RAY_cookie_safety.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE
// TO REDUCE THE RISK OF COOKIE TAMPERING


// A DATA DELIMITER
$dlm = '|';

// YOUR OWN SECRET CODE
$secret_code = 'MY SECRET';

// A DATA STRING THAT WE WANT TO STORE (MIGHT BE A DB KEY)
$cookie_value = 'MARY HAD A LITTLE LAMB';

// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET
$cookie_code = md5($cookie_value . $secret_code);

// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING
$safe_cookie_value = $cookie_value . $dlm . $cookie_code;

// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"
setcookie('safe_cookie', $safe_cookie_value);



// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK SOMETHING LIKE THIS ON THE BROWSER
// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181
// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP



// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}
else
{
    die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');
}




// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE
$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);

// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}

Open in new window


If you are running a sweepstakes, make sure your application is legal in all countries that you serve.  The criminal penalties for violating gambling rules are severe and most of the penalties involve handcuffs and prison.  Not something to trifle with, I assure you.

Good luck with your project, ~Ray
0
 

Author Comment

by:web5dev7
ID: 36497813
Thanks for your help so far.

Ray, I hear what your saying about hiring a pro and I tend to agree.

However, in an effort to keep it simple and a desire to learn - what about using .htaccess to accomplish item#1 - as described in this article:
http://www.w3.org/TR/WCAG20-TECHS/SVR2.html

Your thoughts?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 36498123
Yes, I think you can do that.  I have never used it but it seems acceptable.  You can also use PHP authentication of some sort.  Even if you do not require clients to register and login, you can cookie the browser.  E-Commerce sites do this all the time so they can create a shopping cart for you even though they do not yet know who you are.  You can also check $_SERVER["HTTP_REFERER"] to see if the client came from your web site to the deep link.
0
 

Author Comment

by:web5dev7
ID: 36500201
The htaccess not working - how about this....

Normally I use Coldfusion for this stuff and a "gateway" page to restrict access to the entry form. So maybe a translation to php would work. Do you know how could I write the following in php:

Code on the interim page:

<body onLoad="javascript:document.Form1.submit();">

<form action="submit.cfm" method="post" name="entry">
<cfoutput>
<input type="hidden" name="fromquiz" value="Y">
</cfoutput>
</form>

Code on the form page:

<cfif IsDefined("form.fromquiz") is "False">
<cflocation url="error.cfm?err=badpath">
</cfif>

Then for restricting form entries to once per day per user (email):
<cfquery name="oneaday" datasource="mydb">select email from QUIZ_TABLE where email = '#trim(form.email)#' and submitdate = '#form.submitdate#' and form_action = 'quizentry'</cfquery>
<cfif az.recordcount NEQ 0><cflocation url="error.cfm?err=dup-game"></cfif>

thanks
0
 
LVL 82

Assisted Solution

by:leakim971
leakim971 earned 250 total points
ID: 36500328
Code on the interim page:

<body onLoad="javascript:document.Form1.submit();">

<form action="submit.php" method="post" name="Form1">
<?PHP
     echo '<input type="hidden" name="fromquiz" value="Y">';
?>
</form>

Code on the form page:
<?PHP
     if( !isset( $_REQUEST["fromquiz"] ) ){
         header('Location: error.php?err=badpath');
     }
?>

Then for restricting form entries to once per day per user (email):

<?PHP

if( isset($_REQUEST["email"]) && isset($_REQUEST["$submitdate"]) ) {

$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
    die('Could not connect: ' . mysql_error());
}

// make foo the current db
$db_selected = mysql_select_db('foo', $link);
if (!$db_selected) {
    die ('Can\'t use foo : ' . mysql_error());
}

$result = mysql_query('select email from QUIZ_TABLE where email = \'' . trim (mysql_real_escape_string ($_REQUEST["email"])) . '\' and submitdate = \'' . trim (mysql_real_escape_string ($_REQUEST["$submitdate"])) . '\' and form_action = \'quizentry\'');
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

if( mysql_num_rows($result) != 0 ) {
    header('Location: error.php?err=dup-game');  
}


}
?>
0
 

Author Comment

by:web5dev7
ID: 36500914
Leakim,

Regarding this part:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

Is that all it needs to connect? or do I also need to add a connection file (include) on the form page something like:
<?php require_once('connect.php');?>

and connect.php have something like:

<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_connect = "localhost";
$database_connect = "mydbname";
$username_connect = "dbusername";
$password_connect = "mypassword";
$connect = mysql_connect($hostname_connect, $username_connect, $password_connect) or trigger_error(mysql_error(),E_USER_ERROR);
?>

Or is everything it needs already included in your code ?
0
 
LVL 82

Assisted Solution

by:leakim971
leakim971 earned 250 total points
ID: 36501593
>Is that all it needs to connect?

yes
0
 

Author Comment

by:web5dev7
ID: 36503755
ok, so I guess I need to replace "foo" with my actual db name and the actual user/pass in place of: mysql_user, mysql_password in your code:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

correct?

0
 

Author Closing Comment

by:web5dev7
ID: 36582179
partial solution
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show, step by step, how to integrate R code into a R Sweave document
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question