Page 1 of 1

Need some help stopping multiple signups.. php/mssql

Posted: Mon Apr 21, 2014 12:15 pm
by dustydog
It's been a couple years now since I've worked on website on a daily basic.. I thought you could never really forget how to program, but I am running a small project now and I am moreless confused on how to fix an issue..

I have a simple signup page requesting a username, password, password2 and email. I currently check only to see if the username exists and show an error if it does.

What I need to do is to also added new hidden fields for IP, calling $_SERVER['REMOTE_ADDR'] which I can do. I basically need a way to check to make sure accounts can not be made from the same user. I know people can change their IP with software and still, in some cases the ip can be dynamic. But I really need to stop additional registrations..

This is the problem I'm having on the signup page, and I also have a simple page for my game, where you use can request a set amount of coins daily, but still, the request script needs a way to only be used by one UserName, whether they have multiple accounts or not.

EDIT: Not sure if it makes a difference, but the coin request, I'm trying to set up to be allowed once per day after 8Am, I can set a field to 1 if they already requests coins, but i'm not sure whats best to check. Compare the date/time and if 24 hours has past, set the field back to 0 and then 1 again when they submit again? I'm probably making this more complicated than it is.. Setting a field 1 would stick whether the user changed their IP address? Would that work too?

If anyone can point me in the right direction, I would definitely appreciate it..
Chris

Re: Need some help stopping multiple signups.. php/mssql

Posted: Mon Apr 21, 2014 12:25 pm
by Celauran
dustydog wrote:What I need to do is to also added new hidden fields for IP, calling $_SERVER['REMOTE_ADDR']
I wouldn't recommend that. If you want to use IP, grab it after having validated the form. If you include it in the form, even if it's hidden, you have to assume it can be manipulated.
I basically need a way to check to make sure accounts can not be made from the same user.
There's no practical way I can think of to do this. IP based blocking is problematic because IPs can be spoofed but can also be shared, so you're potentially limiting access to 1 user per household.
This is the problem I'm having on the signup page, and I also have a simple page for my game, where you use can request a set amount of coins daily, but still, the request script needs a way to only be used by one UserName, whether they have multiple accounts or not.
Can you provide a little more information on how you're currently implementing this? Tracking requests per user per day shouldn't be difficult.

Re: Need some help stopping multiple signups.. php/mssql

Posted: Mon Apr 21, 2014 12:37 pm
by dustydog
Thanks for the reply.. For the signup page, here is the whole block of php code.. This is what was provided by someone else, but as you can see, it only checks for the username whether it's been used or not. Honestly, I used to do all this with Dreamweaver years ago, hence the reason why now I'm having issues..

But here is the whole section of code, minus the simple form. I don't need code unless you want to supply it. I'm just looking for ideas on the right way to handle the issue.

Code: Select all

<?php
    $link = mssql_connect("0.0.0.0:1433", "sa", "pass") 
  or die("<script>alert('Can not connect to the database.');history.back();</script>");
    $db = mssql_select_db('GameDB') 
  or die("<script>alert('Can not connect to the database.');history.back();</script>");


if($_GET['add'] == '1'){
	$username = $_POST["username"];
	$pwd = $_POST["pwd"];
	$repwd = $_POST["repwd"];
	$creatime = date("Y-m-d H:i:s");

	if($username > 4){
		echo"<script>alert('Please enter a name longer than 4 characters, too.');history.back();</script>";
		exit() ;
	}

	if((isset($pwd)) and ($pwd!=$repwd)) {
		echo"<script>alert('Please enter a password to sync with.');history.back();</script>";
	exit() ;
	}

	if(!eregi("^([a-zA-Z0-9])*$",$username)){
		echo"<script>alert('Please enter your password to just letters. a-z, A-Z, 0-9 ????????');history.back();</script>";
	exit() ;
	}


//declare the SQL statement that will query the database
$query = "SELECT name FROM GameDB.dbo.account WHERE name='$username'";

//execute the SQL query and return records
$result = mssql_query($query);

$rows = mssql_num_rows($result);

if($rows>0){
	echo "<script>alert('username ?Username already in Use!');history.back();</script>";
	exit();
}

$result = mssql_query("SELECT TOP 1 * FROM GameDB.dbo.account order by id desc");
	$i = 1;
	while($rkrow = mssql_fetch_array($result))
{
$userid = $rkrow[id];
  }

			$noid = $userid+1;
			$Salt = $username.$pwd;
			$Salt = md5($Salt);
			$Salt = "0x".$Salt;


$query = "INSERT INTO GameDB.dbo.account (id,name,creatime,passwd) VALUES ('$noid','$username','$creatime',$Salt)";
$result = mssql_query($query);
echo "<script>alert('$username account created successfully! ');history.back();</script>";
}
?>
Thanks for looking!
Chris

Re: Need some help stopping multiple signups.. php/mssql

Posted: Mon Apr 21, 2014 6:49 pm
by dustydog
Hello,
I was able to figure out what I needed to do..

I went ahead and re-wrote all of the code and cleaned it up and now I was as able stop multiple signups.

Thanks for looking,
Chris