Solved

check referring page

Posted on 2011-09-06
10
449 Views
Last Modified: 2013-12-25
I have a sweepstakes landing page with a quiz. To enter the sweepstakes users must complete the quiz and at the end there is a link to an entry form (which takes them to the form page).  They can only enter once per day. On the form, if they choose, they can click "remember me" so the form fields will auto-populate on future visits (cookies). How can I...

1. On future visits, make sure they do not bypass the quiz by going directly to the form page (bookmarking it, etc).

2. limit them to only one entry per day (check the db and if there is already an entry with their email dated today - give them a "sorry" message)

p.s. I do not want to use login for this. Not sure if this matters, but the quiz is in both Flash (for web) version and Javascrip (for mobile).

Also, I am only a lightweight programmer so prefer the simplest solution. This site uses PHP and MySQL.

thanks you.
0
Comment
Question by:web5dev7
  • 5
  • 3
  • 2
10 Comments
 
LVL 82

Expert Comment

by:leakim971
ID: 36492476
You need to manage user session, check this good article : http://www.sitepoint.com/users-php-sessions-mysql/
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 36493067
If this has any economic value to you, consider hiring a heavy-weight professional programmer.  The potential for catastrophic error is arbitrarily large.

That said, you might want to employ "flash cookies" since most casually knowledgeable hackers will defeat conventional cookies in a matter of moments.
http://en.wikipedia.org/wiki/Local_Shared_Object
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/

You can add a level of security to your cookies with something like the code snippet.  
<?php // RAY_cookie_safety.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE
// TO REDUCE THE RISK OF COOKIE TAMPERING


// A DATA DELIMITER
$dlm = '|';

// YOUR OWN SECRET CODE
$secret_code = 'MY SECRET';

// A DATA STRING THAT WE WANT TO STORE (MIGHT BE A DB KEY)
$cookie_value = 'MARY HAD A LITTLE LAMB';

// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET
$cookie_code = md5($cookie_value . $secret_code);

// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING
$safe_cookie_value = $cookie_value . $dlm . $cookie_code;

// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"
setcookie('safe_cookie', $safe_cookie_value);



// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK SOMETHING LIKE THIS ON THE BROWSER
// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181
// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP



// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}
else
{
    die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');
}




// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE
$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);

// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}

Open in new window


If you are running a sweepstakes, make sure your application is legal in all countries that you serve.  The criminal penalties for violating gambling rules are severe and most of the penalties involve handcuffs and prison.  Not something to trifle with, I assure you.

Good luck with your project, ~Ray
0
 

Author Comment

by:web5dev7
ID: 36497813
Thanks for your help so far.

Ray, I hear what your saying about hiring a pro and I tend to agree.

However, in an effort to keep it simple and a desire to learn - what about using .htaccess to accomplish item#1 - as described in this article:
http://www.w3.org/TR/WCAG20-TECHS/SVR2.html

Your thoughts?
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 36498123
Yes, I think you can do that.  I have never used it but it seems acceptable.  You can also use PHP authentication of some sort.  Even if you do not require clients to register and login, you can cookie the browser.  E-Commerce sites do this all the time so they can create a shopping cart for you even though they do not yet know who you are.  You can also check $_SERVER["HTTP_REFERER"] to see if the client came from your web site to the deep link.
0
 

Author Comment

by:web5dev7
ID: 36500201
The htaccess not working - how about this....

Normally I use Coldfusion for this stuff and a "gateway" page to restrict access to the entry form. So maybe a translation to php would work. Do you know how could I write the following in php:

Code on the interim page:

<body onLoad="javascript:document.Form1.submit();">

<form action="submit.cfm" method="post" name="entry">
<cfoutput>
<input type="hidden" name="fromquiz" value="Y">
</cfoutput>
</form>

Code on the form page:

<cfif IsDefined("form.fromquiz") is "False">
<cflocation url="error.cfm?err=badpath">
</cfif>

Then for restricting form entries to once per day per user (email):
<cfquery name="oneaday" datasource="mydb">select email from QUIZ_TABLE where email = '#trim(form.email)#' and submitdate = '#form.submitdate#' and form_action = 'quizentry'</cfquery>
<cfif az.recordcount NEQ 0><cflocation url="error.cfm?err=dup-game"></cfif>

thanks
0
 
LVL 82

Assisted Solution

by:leakim971
leakim971 earned 250 total points
ID: 36500328
Code on the interim page:

<body onLoad="javascript:document.Form1.submit();">

<form action="submit.php" method="post" name="Form1">
<?PHP
     echo '<input type="hidden" name="fromquiz" value="Y">';
?>
</form>

Code on the form page:
<?PHP
     if( !isset( $_REQUEST["fromquiz"] ) ){
         header('Location: error.php?err=badpath');
     }
?>

Then for restricting form entries to once per day per user (email):

<?PHP

if( isset($_REQUEST["email"]) && isset($_REQUEST["$submitdate"]) ) {

$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
    die('Could not connect: ' . mysql_error());
}

// make foo the current db
$db_selected = mysql_select_db('foo', $link);
if (!$db_selected) {
    die ('Can\'t use foo : ' . mysql_error());
}

$result = mysql_query('select email from QUIZ_TABLE where email = \'' . trim (mysql_real_escape_string ($_REQUEST["email"])) . '\' and submitdate = \'' . trim (mysql_real_escape_string ($_REQUEST["$submitdate"])) . '\' and form_action = \'quizentry\'');
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

if( mysql_num_rows($result) != 0 ) {
    header('Location: error.php?err=dup-game');  
}


}
?>
0
 

Author Comment

by:web5dev7
ID: 36500914
Leakim,

Regarding this part:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

Is that all it needs to connect? or do I also need to add a connection file (include) on the form page something like:
<?php require_once('connect.php');?>

and connect.php have something like:

<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_connect = "localhost";
$database_connect = "mydbname";
$username_connect = "dbusername";
$password_connect = "mypassword";
$connect = mysql_connect($hostname_connect, $username_connect, $password_connect) or trigger_error(mysql_error(),E_USER_ERROR);
?>

Or is everything it needs already included in your code ?
0
 
LVL 82

Assisted Solution

by:leakim971
leakim971 earned 250 total points
ID: 36501593
>Is that all it needs to connect?

yes
0
 

Author Comment

by:web5dev7
ID: 36503755
ok, so I guess I need to replace "foo" with my actual db name and the actual user/pass in place of: mysql_user, mysql_password in your code:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

correct?

0
 

Author Closing Comment

by:web5dev7
ID: 36582179
partial solution
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Creating and Managing Databases with phpMyAdmin in cPanel.
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question