...

View Full Version : Prevent user from abusing button clicking



Vernk
10-10-2012, 03:52 AM
Hello , I have a script when the person clicks the button it will give them 1000 credits but if you keep clicking it will keep uploading so they can abuse this and get as many credits and they want.


if(isset($_POST['35a322a37e6fb34b2aaea6f4ed30aa7f'])) {
$id = $_POST['1f2121f36f817bd18540e5fa7de06f59'];
mysql_query("UPDATE referr SET status=0 WHERE userid='$uid' AND id='$id'");
mysql_query("UPDATE userinfo SET credits = credits + 1000 WHERE id='$uid'");
header("location:/panel/referral");
}

How can I stop this from happening?

firepages
10-10-2012, 10:50 AM
does the user have to log in to access this feature ? if so its easy enough , if not it gets quite complicated and normally easy enough to bypass

Vernk
10-10-2012, 03:52 PM
Yea they have to be logged in. But the problem is when they keep clicking the button it keeps uploading and running the query , so they can get tons of credits

Fou-Lu
10-10-2012, 03:57 PM
Yea they have to be logged in. But the problem is when they keep clicking the button it keeps uploading and running the query , so they can get tons of credits

I believe you can use mysql_affected_rows for this. If its an update and no field data has actually changed, I believe it relays the count excluding that record.
So after the first update, simply add in:


if (mysql_affected_rows() <= 0)
{
mysql_query("UPDATE userinfo SET credits = credits + 1000 WHERE id='$uid'");
}

Assuming that userid and id are a composite key on referr, that should only ever be 0 or 1 if the affected rows works as I think it does.
If it does not, simply issue a select first, then issue an update. If the record is already set at 0 (or doesn't exist maybe?), then update.

Vernk
10-10-2012, 04:06 PM
It still isn't working. I can keep clicking it and gives me more

Fou-Lu
10-10-2012, 05:34 PM
It still isn't working. I can keep clicking it and gives me more

Is the affected rows producing results even when an update isn't occurring?
If it is, simply issue a select statement first to determine if you can issue the update.

Vernk
10-11-2012, 01:53 AM
Thanks, I got it fixed I just had to run a query to check as you said Silly me

Fou-Lu
10-11-2012, 01:58 AM
Silly me I have affect rows check backwards. Try issuing the update then checking if it's > 0 not <= 0.
If that works as I expect, then I'd suggest this route. Saves a query.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum