Solved

check referring page

Posted on 2011-09-06
10
464 Views
Last Modified: 2013-12-25
I have a sweepstakes landing page with a quiz. To enter the sweepstakes users must complete the quiz and at the end there is a link to an entry form (which takes them to the form page).  They can only enter once per day. On the form, if they choose, they can click "remember me" so the form fields will auto-populate on future visits (cookies). How can I...

1. On future visits, make sure they do not bypass the quiz by going directly to the form page (bookmarking it, etc).

2. limit them to only one entry per day (check the db and if there is already an entry with their email dated today - give them a "sorry" message)

p.s. I do not want to use login for this. Not sure if this matters, but the quiz is in both Flash (for web) version and Javascrip (for mobile).

Also, I am only a lightweight programmer so prefer the simplest solution. This site uses PHP and MySQL.

thanks you.
0
Comment
Question by:web5dev7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 82

Expert Comment

by:leakim971
ID: 36492476
You need to manage user session, check this good article : http://www.sitepoint.com/users-php-sessions-mysql/
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 36493067
If this has any economic value to you, consider hiring a heavy-weight professional programmer.  The potential for catastrophic error is arbitrarily large.

That said, you might want to employ "flash cookies" since most casually knowledgeable hackers will defeat conventional cookies in a matter of moments.
http://en.wikipedia.org/wiki/Local_Shared_Object
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/

You can add a level of security to your cookies with something like the code snippet.  
<?php // RAY_cookie_safety.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE
// TO REDUCE THE RISK OF COOKIE TAMPERING


// A DATA DELIMITER
$dlm = '|';

// YOUR OWN SECRET CODE
$secret_code = 'MY SECRET';

// A DATA STRING THAT WE WANT TO STORE (MIGHT BE A DB KEY)
$cookie_value = 'MARY HAD A LITTLE LAMB';

// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET
$cookie_code = md5($cookie_value . $secret_code);

// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING
$safe_cookie_value = $cookie_value . $dlm . $cookie_code;

// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"
setcookie('safe_cookie', $safe_cookie_value);



// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK SOMETHING LIKE THIS ON THE BROWSER
// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181
// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP



// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}
else
{
    die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');
}




// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE
$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);

// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}

Open in new window


If you are running a sweepstakes, make sure your application is legal in all countries that you serve.  The criminal penalties for violating gambling rules are severe and most of the penalties involve handcuffs and prison.  Not something to trifle with, I assure you.

Good luck with your project, ~Ray
0
 

Author Comment

by:web5dev7
ID: 36497813
Thanks for your help so far.

Ray, I hear what your saying about hiring a pro and I tend to agree.

However, in an effort to keep it simple and a desire to learn - what about using .htaccess to accomplish item#1 - as described in this article:
http://www.w3.org/TR/WCAG20-TECHS/SVR2.html

Your thoughts?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 36498123
Yes, I think you can do that.  I have never used it but it seems acceptable.  You can also use PHP authentication of some sort.  Even if you do not require clients to register and login, you can cookie the browser.  E-Commerce sites do this all the time so they can create a shopping cart for you even though they do not yet know who you are.  You can also check $_SERVER["HTTP_REFERER"] to see if the client came from your web site to the deep link.
0
 

Author Comment

by:web5dev7
ID: 36500201
The htaccess not working - how about this....

Normally I use Coldfusion for this stuff and a "gateway" page to restrict access to the entry form. So maybe a translation to php would work. Do you know how could I write the following in php:

Code on the interim page:

<body onLoad="javascript:document.Form1.submit();">

<form action="submit.cfm" method="post" name="entry">
<cfoutput>
<input type="hidden" name="fromquiz" value="Y">
</cfoutput>
</form>

Code on the form page:

<cfif IsDefined("form.fromquiz") is "False">
<cflocation url="error.cfm?err=badpath">
</cfif>

Then for restricting form entries to once per day per user (email):
<cfquery name="oneaday" datasource="mydb">select email from QUIZ_TABLE where email = '#trim(form.email)#' and submitdate = '#form.submitdate#' and form_action = 'quizentry'</cfquery>
<cfif az.recordcount NEQ 0><cflocation url="error.cfm?err=dup-game"></cfif>

thanks
0
 
LVL 82

Assisted Solution

by:leakim971
leakim971 earned 250 total points
ID: 36500328
Code on the interim page:

<body onLoad="javascript:document.Form1.submit();">

<form action="submit.php" method="post" name="Form1">
<?PHP
     echo '<input type="hidden" name="fromquiz" value="Y">';
?>
</form>

Code on the form page:
<?PHP
     if( !isset( $_REQUEST["fromquiz"] ) ){
         header('Location: error.php?err=badpath');
     }
?>

Then for restricting form entries to once per day per user (email):

<?PHP

if( isset($_REQUEST["email"]) && isset($_REQUEST["$submitdate"]) ) {

$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
    die('Could not connect: ' . mysql_error());
}

// make foo the current db
$db_selected = mysql_select_db('foo', $link);
if (!$db_selected) {
    die ('Can\'t use foo : ' . mysql_error());
}

$result = mysql_query('select email from QUIZ_TABLE where email = \'' . trim (mysql_real_escape_string ($_REQUEST["email"])) . '\' and submitdate = \'' . trim (mysql_real_escape_string ($_REQUEST["$submitdate"])) . '\' and form_action = \'quizentry\'');
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

if( mysql_num_rows($result) != 0 ) {
    header('Location: error.php?err=dup-game');  
}


}
?>
0
 

Author Comment

by:web5dev7
ID: 36500914
Leakim,

Regarding this part:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

Is that all it needs to connect? or do I also need to add a connection file (include) on the form page something like:
<?php require_once('connect.php');?>

and connect.php have something like:

<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_connect = "localhost";
$database_connect = "mydbname";
$username_connect = "dbusername";
$password_connect = "mypassword";
$connect = mysql_connect($hostname_connect, $username_connect, $password_connect) or trigger_error(mysql_error(),E_USER_ERROR);
?>

Or is everything it needs already included in your code ?
0
 
LVL 82

Assisted Solution

by:leakim971
leakim971 earned 250 total points
ID: 36501593
>Is that all it needs to connect?

yes
0
 

Author Comment

by:web5dev7
ID: 36503755
ok, so I guess I need to replace "foo" with my actual db name and the actual user/pass in place of: mysql_user, mysql_password in your code:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

correct?

0
 

Author Closing Comment

by:web5dev7
ID: 36582179
partial solution
0

Featured Post

Webinar: MongoDB® Index Types

Join Percona’s Senior Technical Services Engineer, Adamo Tonete as he presents “MongoDB Index Types, How, When and Where Should They be Used?” on Wednesday, July 12, 2017 at 11:00 am PDT / 2:00 pm EDT (UTC-7).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When table data gets too large to manage or queries take too long to execute the solution is often to buy bigger hardware or assign more CPUs and memory resources to the machine to solve the problem. However, the best, cheapest and most effective so…
In this blog post, we’ll look at how ClickHouse performs in a general analytical workload using the star schema benchmark test.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question