View Full Version : A way to deter people from repeatedly registering

08-14-2009, 06:46 PM
When trying to figure out a way to prevent this (which is mainly a problem automated scripts trying to register on your site), I came up with a solution that (I think) is okay. Before, when you registered on my site, you were put into a MySQL DB, but your "active" value was set to 0. In an email, there was an activation link that, when clicked, it changed your "active" value to 1 and allowed you to log in. Obviously, such a system does not prevent someone from running a script and creating a bunch of inactive users in my DB.

Do you folks think it's safe/sound to NOT put the person into the DB until after they click the link? I was thinking of creating a link that said www.mysite.com/activate.php?username=$_POST[username]&password=md5($_POST[password])

I would then have a "Verify your password" box that hashes the user's input and compares it to the $_GET[password]. If it matches, then create the account.

I'm not sure if this is the way most people already do it... but I wanted to run this by you folks and see if there are any big flaws with this design.


08-15-2009, 05:05 AM
I think it depends on the first form.

If you start out with a more complex form that requires name, email, password,
re-enter password, etc. then you need to create the MySQL data at that time.

If you ask for only a username and email, you can email them a random "temporary"
password to confirm them. The confirmation email sends them back to the real
registration page and THEN the MySQL data is created. The "temporary" password
is special though ... there will be a certain pattern of characters that you look for.
Every temporary password you generate is different, except for that pattern.
All you care about is the email address and the pattern in the "temporary" password.
That means you don't have to create any records, or do any other checking.

Example of some temporary passwords with a pattern (you look for the t,4,w in those specific positions) ...

You would have the PHP script generate the random password and insert the pattern before emailing it to them.
It's so simple that even a spammer wouldn't be expecting that.

I like the latter method better because you won't have any new records created,
and bots won't be confirming emails. If someone does confirm the email and
then cancels filling-out the registration, you also don't create any new records.

Here's the thing that is troublesome ... many spammers/ad-click scammers hire REAL people to spend their
whole work-shift going to forums and blogs and registering, using a block of Yahoo or Hotmail emails.
There's no way to stop this activity and it's happening more and more. They get paid by the number of
registrations they do across the internet.

One way to help stop this is to not allow anyone to post content with a URL ... unless they've posted at
least 5 other posts beforehand. This is annoying for REAL users, but it does cut down on spamming.