Solved

check referring page

Posted on 2011-09-06
10
427 Views
Last Modified: 2013-12-25
I have a sweepstakes landing page with a quiz. To enter the sweepstakes users must complete the quiz and at the end there is a link to an entry form (which takes them to the form page).  They can only enter once per day. On the form, if they choose, they can click "remember me" so the form fields will auto-populate on future visits (cookies). How can I...

1. On future visits, make sure they do not bypass the quiz by going directly to the form page (bookmarking it, etc).

2. limit them to only one entry per day (check the db and if there is already an entry with their email dated today - give them a "sorry" message)

p.s. I do not want to use login for this. Not sure if this matters, but the quiz is in both Flash (for web) version and Javascrip (for mobile).

Also, I am only a lightweight programmer so prefer the simplest solution. This site uses PHP and MySQL.

thanks you.
0
Comment
Question by:web5dev7
  • 5
  • 3
  • 2
10 Comments
 
LVL 82

Expert Comment

by:leakim971
ID: 36492476
You need to manage user session, check this good article : http://www.sitepoint.com/users-php-sessions-mysql/
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 36493067
If this has any economic value to you, consider hiring a heavy-weight professional programmer.  The potential for catastrophic error is arbitrarily large.

That said, you might want to employ "flash cookies" since most casually knowledgeable hackers will defeat conventional cookies in a matter of moments.
http://en.wikipedia.org/wiki/Local_Shared_Object
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/

You can add a level of security to your cookies with something like the code snippet.  
<?php // RAY_cookie_safety.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE
// TO REDUCE THE RISK OF COOKIE TAMPERING


// A DATA DELIMITER
$dlm = '|';

// YOUR OWN SECRET CODE
$secret_code = 'MY SECRET';

// A DATA STRING THAT WE WANT TO STORE (MIGHT BE A DB KEY)
$cookie_value = 'MARY HAD A LITTLE LAMB';

// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET
$cookie_code = md5($cookie_value . $secret_code);

// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING
$safe_cookie_value = $cookie_value . $dlm . $cookie_code;

// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"
setcookie('safe_cookie', $safe_cookie_value);



// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK SOMETHING LIKE THIS ON THE BROWSER
// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181
// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP



// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}
else
{
    die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');
}




// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE
$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);

// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}

Open in new window


If you are running a sweepstakes, make sure your application is legal in all countries that you serve.  The criminal penalties for violating gambling rules are severe and most of the penalties involve handcuffs and prison.  Not something to trifle with, I assure you.

Good luck with your project, ~Ray
0
 

Author Comment

by:web5dev7
ID: 36497813
Thanks for your help so far.

Ray, I hear what your saying about hiring a pro and I tend to agree.

However, in an effort to keep it simple and a desire to learn - what about using .htaccess to accomplish item#1 - as described in this article:
http://www.w3.org/TR/WCAG20-TECHS/SVR2.html

Your thoughts?
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 36498123
Yes, I think you can do that.  I have never used it but it seems acceptable.  You can also use PHP authentication of some sort.  Even if you do not require clients to register and login, you can cookie the browser.  E-Commerce sites do this all the time so they can create a shopping cart for you even though they do not yet know who you are.  You can also check $_SERVER["HTTP_REFERER"] to see if the client came from your web site to the deep link.
0
 

Author Comment

by:web5dev7
ID: 36500201
The htaccess not working - how about this....

Normally I use Coldfusion for this stuff and a "gateway" page to restrict access to the entry form. So maybe a translation to php would work. Do you know how could I write the following in php:

Code on the interim page:

<body onLoad="javascript:document.Form1.submit();">

<form action="submit.cfm" method="post" name="entry">
<cfoutput>
<input type="hidden" name="fromquiz" value="Y">
</cfoutput>
</form>

Code on the form page:

<cfif IsDefined("form.fromquiz") is "False">
<cflocation url="error.cfm?err=badpath">
</cfif>

Then for restricting form entries to once per day per user (email):
<cfquery name="oneaday" datasource="mydb">select email from QUIZ_TABLE where email = '#trim(form.email)#' and submitdate = '#form.submitdate#' and form_action = 'quizentry'</cfquery>
<cfif az.recordcount NEQ 0><cflocation url="error.cfm?err=dup-game"></cfif>

thanks
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 82

Assisted Solution

by:leakim971
leakim971 earned 250 total points
ID: 36500328
Code on the interim page:

<body onLoad="javascript:document.Form1.submit();">

<form action="submit.php" method="post" name="Form1">
<?PHP
     echo '<input type="hidden" name="fromquiz" value="Y">';
?>
</form>

Code on the form page:
<?PHP
     if( !isset( $_REQUEST["fromquiz"] ) ){
         header('Location: error.php?err=badpath');
     }
?>

Then for restricting form entries to once per day per user (email):

<?PHP

if( isset($_REQUEST["email"]) && isset($_REQUEST["$submitdate"]) ) {

$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
    die('Could not connect: ' . mysql_error());
}

// make foo the current db
$db_selected = mysql_select_db('foo', $link);
if (!$db_selected) {
    die ('Can\'t use foo : ' . mysql_error());
}

$result = mysql_query('select email from QUIZ_TABLE where email = \'' . trim (mysql_real_escape_string ($_REQUEST["email"])) . '\' and submitdate = \'' . trim (mysql_real_escape_string ($_REQUEST["$submitdate"])) . '\' and form_action = \'quizentry\'');
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

if( mysql_num_rows($result) != 0 ) {
    header('Location: error.php?err=dup-game');  
}


}
?>
0
 

Author Comment

by:web5dev7
ID: 36500914
Leakim,

Regarding this part:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

Is that all it needs to connect? or do I also need to add a connection file (include) on the form page something like:
<?php require_once('connect.php');?>

and connect.php have something like:

<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_connect = "localhost";
$database_connect = "mydbname";
$username_connect = "dbusername";
$password_connect = "mypassword";
$connect = mysql_connect($hostname_connect, $username_connect, $password_connect) or trigger_error(mysql_error(),E_USER_ERROR);
?>

Or is everything it needs already included in your code ?
0
 
LVL 82

Assisted Solution

by:leakim971
leakim971 earned 250 total points
ID: 36501593
>Is that all it needs to connect?

yes
0
 

Author Comment

by:web5dev7
ID: 36503755
ok, so I guess I need to replace "foo" with my actual db name and the actual user/pass in place of: mysql_user, mysql_password in your code:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

correct?

0
 

Author Closing Comment

by:web5dev7
ID: 36582179
partial solution
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now