Prevent user from abusing button clicking

Vernk · 10-10-2012, 02:52 AM

Hello , I have a script when the person clicks the button it will give them 1000 credits but if you keep clicking it will keep uploading so they can abuse this and get as many credits and they want.

PHP Code:


			
if(isset($_POST['35a322a37e6fb34b2aaea6f4ed30aa7f'])) {

            $id = $_POST['1f2121f36f817bd18540e5fa7de06f59'];

            mysql_query("UPDATE referr SET status=0 WHERE userid='$uid' AND id='$id'");

            mysql_query("UPDATE userinfo SET credits = credits + 1000 WHERE id='$uid'");

            header("location:/panel/referral");

            }

How can I stop this from happening?

firepages · 10-10-2012, 09:50 AM

does the user have to log in to access this feature ? if so its easy enough , if not it gets quite complicated and normally easy enough to bypass

Vernk · 10-10-2012, 02:52 PM

Yea they have to be logged in. But the problem is when they keep clicking the button it keeps uploading and running the query , so they can get tons of credits

Fou-Lu · 10-10-2012, 02:57 PM

Quote:

Originally Posted by Vernk

Yea they have to be logged in. But the problem is when they keep clicking the button it keeps uploading and running the query , so they can get tons of credits

I believe you can use mysql_affected_rows for this. If its an update and no field data has actually changed, I believe it relays the count excluding that record.
So after the first update, simply add in:

PHP Code:


			
if (mysql_affected_rows() <= 0)

{

    mysql_query("UPDATE userinfo SET credits = credits + 1000 WHERE id='$uid'"); 

}

Assuming that userid and id are a composite key on referr, that should only ever be 0 or 1 if the affected rows works as I think it does.
If it does not, simply issue a select first, then issue an update. If the record is already set at 0 (or doesn't exist maybe?), then update.

Vernk · 10-10-2012, 03:06 PM

It still isn't working. I can keep clicking it and gives me more

Fou-Lu · 10-10-2012, 04:34 PM

Quote:

Originally Posted by Vernk

It still isn't working. I can keep clicking it and gives me more

Is the affected rows producing results even when an update isn't occurring?
If it is, simply issue a select statement first to determine if you can issue the update.

Vernk · 10-11-2012, 12:53 AM

Thanks, I got it fixed I just had to run a query to check as you said Silly me

Fou-Lu · 10-11-2012, 12:58 AM

Silly me I have affect rows check backwards. Try issuing the update then checking if it's > 0 not <= 0.
If that works as I expect, then I'd suggest this route. Saves a query.