Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Oct 2011
    Posts
    113
    Thanks
    9
    Thanked 1 Time in 1 Post

    Prevent user from abusing button clicking

    Hello , I have a script when the person clicks the button it will give them 1000 credits but if you keep clicking it will keep uploading so they can abuse this and get as many credits and they want.

    PHP Code:
    if(isset($_POST['35a322a37e6fb34b2aaea6f4ed30aa7f'])) {
                
    $id $_POST['1f2121f36f817bd18540e5fa7de06f59'];
                
    mysql_query("UPDATE referr SET status=0 WHERE userid='$uid' AND id='$id'");
                
    mysql_query("UPDATE userinfo SET credits = credits + 1000 WHERE id='$uid'");
                
    header("location:/panel/referral");
                } 
    How can I stop this from happening?

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    does the user have to log in to access this feature ? if so its easy enough , if not it gets quite complicated and normally easy enough to bypass
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    Regular Coder
    Join Date
    Oct 2011
    Posts
    113
    Thanks
    9
    Thanked 1 Time in 1 Post
    Yea they have to be logged in. But the problem is when they keep clicking the button it keeps uploading and running the query , so they can get tons of credits

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by Vernk View Post
    Yea they have to be logged in. But the problem is when they keep clicking the button it keeps uploading and running the query , so they can get tons of credits
    I believe you can use mysql_affected_rows for this. If its an update and no field data has actually changed, I believe it relays the count excluding that record.
    So after the first update, simply add in:
    PHP Code:
    if (mysql_affected_rows() <= 0)
    {
        
    mysql_query("UPDATE userinfo SET credits = credits + 1000 WHERE id='$uid'"); 

    Assuming that userid and id are a composite key on referr, that should only ever be 0 or 1 if the affected rows works as I think it does.
    If it does not, simply issue a select first, then issue an update. If the record is already set at 0 (or doesn't exist maybe?), then update.

  • #5
    Regular Coder
    Join Date
    Oct 2011
    Posts
    113
    Thanks
    9
    Thanked 1 Time in 1 Post
    It still isn't working. I can keep clicking it and gives me more

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by Vernk View Post
    It still isn't working. I can keep clicking it and gives me more
    Is the affected rows producing results even when an update isn't occurring?
    If it is, simply issue a select statement first to determine if you can issue the update.

  • #7
    Regular Coder
    Join Date
    Oct 2011
    Posts
    113
    Thanks
    9
    Thanked 1 Time in 1 Post
    Thanks, I got it fixed I just had to run a query to check as you said Silly me

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Silly me I have affect rows check backwards. Try issuing the update then checking if it's > 0 not <= 0.
    If that works as I expect, then I'd suggest this route. Saves a query.

  • Users who have thanked Fou-Lu for this post:

    Vernk (10-11-2012)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •