Login/Register
Prevent Multiple Entries using PHP
Asked Answered
Solved phpformsflat-filemultiple-entries
O

7

1

Presented alongside a polling facility on a webpage is the following input fields that enables the visitor (voter) to enter their details in a raffle for a hamper as a reward for their effort in taking part in the poll.

The raffle entry form script is not attached to the poll script. All inputs in the raffle entry form script are validated and the info is sent to a flatfile. It is a short poll lasting only 7 days on different topics that might arise from time to time for a small town forum. (ip is also collected)

Name  :<input type="text" name="visitor" /><br /><br />
Email :<input type="text" name="visitormail" /><br /><br />
Phone :<input type="text" name="visitorphone"/><br /><br />

On submission the 'Thank You' page advises the visitor that their details will be used once in the raffle for the hamper. In other words the visitor could go back and fill in the form again and submit, requiring that I check for and weed out multiple entries from the flatfile before completing the Random Number draw for the hamper!

The Question Is there a simple way to install something that prevents the visitor from attempting multiple entries into the draw?

Outrage answered 11/11, 2011 at 20:12 Comment(4)
Are you logging people in as users first?Cum
No logging in - trying to maintain simple access for ordinary punters. Also, not wishing to exceed my own skills for the moment.Outrage
Is it such a big problem to have people with multiple entries into the draw? How do you know they haven't voted in your poll multiple times?Cum
Currently managing multiple vote entries using one vote per ip. But I have learned alot about ip's in the last half hour. As you have indicated there is not exactly a simple solution that can be unpacked and plugged in.Outrage
P
1

I would log the IP as well (see $_SERVER variable). Then you can narrow down duplicates by IP. Not always the most fool proof method.

Another approach could be a cookie.

Patroclus answered 11/11, 2011 at 20:20 Comment(6)
Cookie is susceptible to user manipulation though, storing the IP in your database/flat file backend removes their ability to manipulate your gate keeping.Patroclus
Does a cookie work! Not yet very familiar with cookies. I note your additional comment.Outrage
most schools and companies have one common IP, so one wote per ip equals one wote per school/companie for thous places, and schools that have one ip per computer, a single user can wote from each machine onceRobbert
One vote is controlled by ip and that is fine. The raffle input is seperate - no actual connection to the poll script.Outrage
You could use the Microsoft approach as well and write a program that generates fingerprints based on your hardware, etc. Force your uses to active their raffle entry! (LOL and TROLOLOLOL)Patroclus
Another approach could be a cookie. Cookies can be deleted from users machines.Cum
C
1

I agree with @David Barker in that people will probably find a way around whatever you put in place unless you log them in and have a user id for them. However, I don't agree with him that the answer is 'yes'. I think the answer is 'no'.

I can't see any way that you can stop a visitor submitting slightly different information in multiple entries. Unless you ask for and verify their social security, passport or driver license number. In fact the same probably goes for avoiding multiple accounts on a system that logs people in.

So, you may have to accept that people may have multiple entries into the draw or give up on it.

Sorry for the negative answer, but I really can't see how you can achieve what you want without huge resources at your disposal.

Edit to explain my arguments further:

1 - Use name as filter

I have a simple name 'Paul White', there are thousands, if not millions, of Paul Whites, so limiting to one is not realistic.

2 - Use IP address

All I have to do is diconnect my router from my ISP and then re-connect. Hello, new IP, second entry into raffle. Or logmein to my old mum's computer - same result. You cannot prevent multiple entries, period.

3 - Use phone number

I also have 2 mobile phones a land line number and a skype number (I travel a lot), I could use a different one each time.

4 - Use house number plus post code

In the UK (I don't know about anywhere else, but suspect it's similar) one post code applies to a number of houses. However, say my house number is 16, I could submit an entry as 16, 16a, 16b... and the address would still be valid and anythinh mailed to it would still get to me.

5 - Similar arguments relating to minor manipulations for anything else you can think off

Cum answered 11/11, 2011 at 20:38 Comment(3)
vascowhite you have me almost convienced. Should address also be brought into the picture and would same help! Would people make such efforts for a hamper?Outrage
A valid address can be written in different ways, just look at the junk mail that comes through your door! For your other question:- Should you make such efforts for a hamper?Cum
There may not be a raffle for a hamper! Maybe I should just add a "Christmas Wish" to the "Thank You" page.Outrage
S
0

I presume you are storing the data into the database. Then you can choose one item, that has to be unique (I'd recommend a phone #) and make its column a uniqe key. Therefore the multiple insertions to the database would fail (you have to check the phone # format beforehand and standardize it before the actual insertion, but this is completely different problem).

Sanguinaria answered 11/11, 2011 at 20:19 Comment(7)
Yes Erbureth, data going to a flatfile db on lines instead of cols... Using the phone no seems a good way to go! Is your solution applicable to the flatfile?Outrage
As it is described, it relies on the relational database engine to ensure the uniqness of the record. However the general idea can be implemented to text flatfiles, however you need to do the integrity and uniqness check by yourself. I'd really recommend an SQL-based engine for data storage.Sanguinaria
I do appreciate the need longterm to get on board the SQL engine. I think for the moment that I am stuck with the flat engine.Outrage
Then you need to check the appropriate fields yourself, however, be prepared that without any index it would be quite slow. Also you need to ensure the exclusive access to the file to one thread at a time, otherwise it would suffer from data loss or corruption. You can accomplish it for example by creating a "lock file", which would represent the file being accessed.Sanguinaria
You can create the lock file by calling fopen with x flag --php.net/manual/en/function.fopen.phpSanguinaria
Currently saving info to flatfile called savedinfo.php Is "lock file" just a secure copy of the savedinfo.php? Can you expand on how fopen with x flag can be applied to the savedinfo.php - if I have presented my question correctly!Outrage
Right :) the presence "lock file" is just an indication that the data file is being manipulated with by another process and therefore is not safe to touch it. therefore the thread should fopen("lockfile", "x") and check it's return value. if it fails, then wait for the lockfile to disappear and then try to create it again. When successfull, you can manipulate the database file itself and after finishing, just remove the lockfile to indicate the other threads it's safe to lock it. Hope it's more clear now :)Sanguinaria
C
0

If users have to login to vote then you could just save the user_id and check to see if they've already voted. Or, if they are anonymous you could do an IP number check $_SERVER['REMOTE_ADDR ']. Or, you could save a cookie upon submission.

Capua answered 11/11, 2011 at 20:21 Comment(4)
IP is no good for this as they may change, or you may have multiple computers/users behind 1 IP using NAT.Cum
one vote per IP, let one student vote one time per internet connected computer at the school, if not behind a NAT router, and if behind a NAT router its 1 vote per school/companyRobbert
One vote is controlled by ip and that is fine. The raffle input is seperate - no actual connection to the poll script. Trying to prevent multiple enterise to the raffle.Outrage
All I have to do is diconnect my router from my ISP and then re-connect. Hello, new IP, second entry into raffle. Or logmein to my old mum's computer - same result. You cannot prevent multiple entries, period.Cum
L
0

The answer is yes, but you can only hold people back so much with the data you are given. People will (if inclined) find a way to get themselves entered multiple times into a competition.

I would have a script that read from the flatfile and returned true if key input data matches data already held on file.

e.g.

$input = $_REQUEST['post_data'];

$fp = fopen("poll.txt","r");

while ($ln = fgetcsv($fp, 1000, "\t") !== FALSE) {
    if ($ln[4] == $input['post_data']) {

        // Set exists to true
        $exists = TRUE;
    }
}

// Check if $exists == TRUE {
//     return false;
// Else {
//     write new data to file.
// }

This considers that your flatfile is delimetered by /t for each 'cell'. Also to consider: $ln[x], where x = position of the data on each line of the file.

Lytta answered 11/11, 2011 at 20:26 Comment(2)
Sorry David, the answer is 'No', see my answer. :)Cum
Flatfile currently like so: fwrite($out,"$todayis [IST], $vname, $vemail, $vphone, $ip, $httpref, $httpagent."); Friday, November 11, 2011, 7:47 pm [IST], ffffff ffffffff, [email protected], 55555555555, 127.0.0.1, localhost/Poll/DRBPoll/booth.php, Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23.Outrage
D
0

You can easily solve this using the email as the key. If you're using a database you could do a quick check to see if the email exists, like

"SELECT COUNT(visitoremail) FROM users WHERE LOWER(visitoremail) = '" . strtolower($_REQUEST['visitormail']) . "';

If the result is greater than zero, you wouldn't add them to the database. Similarly, if the count was equal to zero, then you would do an INSERT with your new data.

Another way would be to store all the entries in your database regardless. Then, either "SELECT DISTINCT visitoremail FROM users ..." or select all the emails into a PHP array, and then do an array_unique(visitoremails) to get the unique emails.

Dday answered 11/11, 2011 at 20:30 Comment(6)
Also, if you're using a flat file, then putting all the emails into an array at the end of your contest, then getting the uniques with array_unique would definitely do what you need.Dday
I have 6 email addresses? In fact unlimited if I use + sign to add address tags this is not limited to gmailCum
Can phone also be used as you have setout in email key above so that inputs are checked against two records?Outrage
I also have 2 mobile phones a land line number and a skype number (I travel a lot), I could use a different one each time. Sorry to be negative, but see my answer.Cum
i got 10 domains, with cathcall adresses, so i got 10 * unlimeted adresses, email isn't that uniqueRobbert
I've gotten around this (somewhat) using Facebook Connect (and the FBID as my key) but it still wouldn't stop people from using multiple FB accounts. Without some sort of user-registration you're left with IP addresses which, as already has been pointed out, is unreliable.Dday
C
-1

If you disable the submit button in the onclick event, the visitor will have to refresh the page for resubmitting your form.

You can do something like:

var btn = document.getElementById("button-id");
btn.onclick = function() {
    btn.disabled = 'disabled';
}
Coauthor answered 11/11, 2011 at 20:15 Comment(3)
Actually all the visitor needs to do then is turn off javascript. I don't think this answers the question at all.Cum
Ok gustavotkg, if the visitor comes back a day or two later to a refreshed page will they be able to submit their details again to the flatfile?Outrage
But your suggestion did keep me thinking! Thanks.Outrage

© 2022 - 2024 — McMap. All rights reserved.