I have a button that performs an action, is it possible to create a timer so the button can only be used every 6 hours or so?
Would need to be for each specific user, so if one user presses the button, it won't affect another user's cooldown or ability to press it.
Here's the form
<html>
<body>
<form action="addgold.php">
<input type="submit" name="Add gold" value="Work" onclick="addgold()" />
</form>
And here's the action that the button performs if it is needed
<?php error_reporting(E_ALL); ini_set('display_errors', 1);
include("header.php");
include("connect.php");
if(isset($_SESSION['userlogin'])){
$username = $_SESSION['userlogin'];
$sql = "SELECT stats.id, stats.gold, users.id, users.username FROM stats, users WHERE users.username = '$username' AND stats.id = users.id";
$retval = mysqli_query($con,$sql);
while($row = mysqli_fetch_array($retval, MYSQL_ASSOC))
{
echo "Gold :{$row['gold']} <br> ".
"--------------------------------<br>";
}
$row = mysqli_fetch_row($retval);
$result = $row[0];
echo "Back to main page";
}else{
?>
<?php
echo "fail";
}
?>
I found a similar answer to this in another Stackoverflow question (this site has everything) that said it can only be done in javascript, which is fine besides I haven't a clue about javascript!
There was some code he/she put with it
window.setTimeout(function() {
document.forms['form_name'].submit();
}, 1000);
But where do I put that? into my php page? if so, where?
It is really important how you want the button will work.
1) Is it only for registered users
Save it to database. And then just check the DB time difference.
2) For everyone
If it does not have to be 100 % accurate you can use a session or you can also save the information to DB and then check the difference.
If you put your limiter in javascript, it will be done client-side, which means if a user knows about programming, he'll easily be able to go around that protection.
If you really want to enforce a time limit between clicks, it should be done server-side, but that means that the server must be able to recognize clients. What is generally done is using the IP address (even if it's not perfect), which you can get by checking the $_SERVER['REMOTE_ADDR'] variable in PHP.
If you want to compel observance of time limit between clicks surely you would need to use $_SESSION[] in php(server side) for this purpose and save the information to the database.
Assuming your app has authentication in place, which identifies each user uniquely, you can create a table in your DB (or add a column to your users table) which stores the last time a user has pressed the button as a DATETIME type.
Then all you have to do when the page is requested is calculate the difference between the current time and the one stored in your DB. Using mysql:
SELECT HOUR(TIMEDIFF(NOW(),last_pressed)) AS time_passed FROM my_table
If the difference is less than 6 hours you simply remove or disable the button. Do note that removing the button is not enough and you have to block the action on the server side as well, because a seasoned user can send the request via the browser's URL bar or using curl without using the button.
If you don't have proper session authentication, you can resort to #ploutch's solution, and save the IP address instead of the user ID. This is not perfect because the headers sent to the server can be tampered with by the client.
Try setTimeout function in javascript
<input type="button" value="click" id="click" onclick="foo(this);"/>
in javascript
function foo(obj) {
obj.disabled = true;
setTimeout(function() {
obj.disabled = false;
}, 2000);
}
Related
This code is used to put a data in the database once the button is activated and then take it off and replace it by(Question save!). The problem is it take me two attempts to make it disappear(the button). $numofrow is used to verify if the action was once made(the action of the submit button). The problem is not the database,query,etc, its really the button. Thanks for your time.
This is my code:
if(isset( $real_domaine)){
$tt = "SELECT*FROM uniwix.table0 WHERE id= '$id' ";
$rr = mysqli_query($database,$tt);
while($rows = mysqli_fetch_assoc($rr)){
[rows call...]
$md = "SELECT*FROM uniwix.table1 WHERE usern='$us' and question='$sujet'";
$ao = mysqli_query($database,$md);
$numofrow = mysqli_num_rows($ao);
if($numofrow == 0){
echo '<form action="" method="POST">
<input type="submit" name="sauvegarder" value="Save the question"/>
</form>';
if(isset($_POST['sauvegarder'])){
$qu = "INSERT INTO database (usern,question) VALUES('".$us."','".$sujet."')";
$sm = mysqli_query($database,$qu);
}
}else{
echo 'Question saved!';
}
//end of while loop
}
// end of if(isset( $real_domaine))
}
The problem is not the database,query,etc, its really the button.
The button is almost passive, all it does is to send the data to the server when it is pressed. The error is in the (lack of) logic of the PHP code.
When the script runs for the first time, $numofrow is 0. It runs the echo that generates the form with the button then it checks if $_POST['sauvegarder'] is set. It is not set, of course, because when the page is loaded for the first time, the GET method is used.
The user presses the button, the data is submitted using POST and the code runs again. $numofrow is still 0 (no data was inserted in the database yet), the form is displayed again but this time $_POST['sauvegarder'] is set and the data received from the browser is saved into the database.
You need to rethink the logic of you page.
More, the form is empty. Maybe it works but this is not the correct way to write forms. The input fields you want to send to the server must stay in the form.
Even more, and the most important of all, your database code is a candidate for SQL injection. Don't build queries using string concatenation. Use prepared statements. Also read about how prevent SQL injection in PHP.
I'm very new to web programming and everything I learn I basically learn from looking up documentation online. I have a website running a type of game with an inventory and such. I can't seem to think of a clean way of giving items to the user. It currently uses a JavaScript function, but I realized the user could just call the function from the URL bar and exploit the system.
On a given page, this is the code that calls for an item to be given. The user will click a button like the "Get Hat" button, and will be redirected to another page:
<script>
function giveitem(name, quant)
{
document.getElementById("itemnamefield").value=name;
document.getElementById("itemquantfield").value=quant;
document.itemform.submit();
}
</script>
<form id="itemform" name="itemform" action="./itemget.php" method="post">
<input type="hidden" id="itemnamefield" name="itemnamefield" value="">
<input type="hidden" id="itemquantfield" name="itemquantfield" value="">
</form>
<input type="button" onClick="javscript: giveitem('Hat',1);" value="Get Hat"><br>
itemget.php then executes this function using the post data from the previous page. $id is the user's ID number stored in a cookie, $name is the title of the item, $quant is the desired quantity of the items.
function additem($id, $name, $quant){
include 'sqlconnect.php';
$result = mysqli_query($con, "SELECT * FROM inventory WHERE id='$id' AND name='$name'");
if ($row = mysqli_fetch_array($result)){
mysqli_query($con, "UPDATE inventory SET quant=quant+'$quant' WHERE id='$id' AND name='$name'");
}
else{
$subresult = mysqli_query($con, "SELECT name FROM itemdef WHERE name='$name'");
$subrow = mysqli_fetch_array($subresult);
mysqli_query($con,"INSERT INTO inventory (id, quant, name) VALUES ('$id', '$quant', '$subrow[name]')");
}
}
itemget.php then displays what items the user received.
So I can't use javascript because that's exploitable. I'm not really intent on using jquery or anything besides standard HTML and PHP (I'm trying to keep it simple because I'm so inexperienced). Is my only alternative to create a new form for every "give x item" button?
You can use javascript, forms, or just simple hyperlinks.
The trick is to let the server know which possibilities the user has. So when you generate the page, you can store in the user's session on the server that you generated the 'get hat' link, so 'get hat' therefor is a valid command.
If you receive a command that is not valid, the user may be cheating, or they clicked 'back' and executed a command from an outdated page. Anyway, you can then ignore the command or display a message instead.
So the trick is to keep the validation on the server. That way, they cannot cheat, because everything other than the commands you provided are blocked.
So talking techniques, you can just write the game logic and session handling in PHP and use plain HTML (hyperlinks) to render the commands. If you like, you can use Javascript/JQuery or forms as well, if you think it is easier or makes your gameplay better. As long as you do the checking on the server, you should be fine.
Small example. When you send data to a .php file for the information be processed further, always, and I mean always be panicked(not like bad panic, but just be carefull) and don't trust user info. If you know that the variable $x is supposed to be only integer, then use an if condition to make sure it is an integer so bad/malicious data won't be a problem.
Use PHP Sessions initialized by <?php session_start(); ?>, then you can store information stored on server referenced by a cookie with a session id.
For example don't store user's id in a cookie, use sessions: <?php $_SESSION['user_id'] = 1; ?>
Then, for example you can store available items in that session, too.
game.com/view-x.php
<?php
session_start();
...
$_SESSION['items_available'] = array('hat', 'shoe');
?>
When for example a user requests a an item via html form, link, ...:
game.com/item-add.php?item=stone
<?php
session_start();
...
if (in_array($_GET['item'], $_SESSION['items_available'])) {
..
}
else {
// 'stone' is not an available item
}
...
First things first. I'm running CodeIgniter on a PHP/MySQL site.
I've been tasked with creating a "shell" application for a series of movies that a person can view for a training website that I'm building. The idea here is that a person would be able to log on to a page, click "Take Course" and have it log what time the course was taken. Then, when the person exits the page carrying the movie, I would be able to record what time the course was ended. This way I can compare the start and end times, and determine if the user had viewed most of the film in order to give the user credit. Well, the first part is easy. First, I've built a table in my database with the following fields:
intKey (intKey(10))
strHash (varchar(255))
dtBegan (datetime)
dtEnded (datetime)
varIpAddress (varchar(255))
I've put in a controller that does this:
$ip_address = $_SERVER['REMOTE_ADDR'];
$data['hash'] = md5(time() . "Proof of Concept!");
$this->db->query("INSERT INTO pocTime SET strHash = '" . $data['hash'] . "', dtBegan = now(), varIpAddress='$ip_address'");
$this->load->view('welcome_message',$data);
OK... easy enough, yes? I also know that when I am done, I want to launch a file that does this:
$ip_address = $_SERVER['REMOTE_ADDR'];
$this->db->query("UPDATE pocTime SET dtEnded = now() WHERE strHash = '" . $data['hash'] . "' AND varIpAddress='$ip_address'");
What I'm hoping to do is have a page that is called by the 1st block of code, and set a "trap" so to speak so that the 2nd block of code is run by some kind of "post back" if the rendered page is closed. Any suggestions? I know that I could put some sort of big "CLICK HERE TO END YOUR VIDEO" type button that would cover this, but I'm looking to run code on some form of exit from a page, because I don't know what the user would do after viewing the video. Any thoughts?
Simple but should work, using jQuery
$(window).unload(function(){
$.get("test.php?dim1=turn&dim2=off");
});
Using unload which jQuery documentation tells what triggers this:
http://api.jquery.com/unload/
Using get which jQuery documentation is here:
http://api.jquery.com/get/
Or you can use post as well
$(window).unload(function(){
$.post("test.php", { dim1: "turn", dim2: "off" } );
});
http://api.jquery.com/jQuery.post/
You are looking for jQuery's unload event.
I would also recommend that you use Codeigniter's Active Record Syntax in your database queries. Not only does it make writing INSERT and UPDATE queries much easier, it will also escape and sanitize your input to protect you from SQL injection.
Basically i have a form where a studentID is inputted, i then want to check id the inputted studentID is in the database, if it is post the form to the next page. If not then display an error on the page where you input studentID
Don't really know where to start
Cheers
is this what you want?
<form id = "form" action = "./?page=markandfeedback" method = "post">
<br>
Mark for:
<INPUT id="stud" onkeypress="return isNumberKey(event)" type="text" name="stud" value="Enter Student Number">
<input type="submit" value = 'Continue'>
<?
$studID = $_POST['stud'];
$module2 = $_SESSION['module'];
$ex = $_POST['exer'];
$studerr = array();
$sql = 'SELECT * FROM `student`, `modules` WHERE `studentID` = '.$studID.' AND `moduleCode` = '.$_SESSION['module'];
$result = mysql_query ($sql);
// echo $_SESSION['module'];
if ($result == NULL) { // nothing found
echo "the student id you entered is not in the database";
}
else {
$_SESSION['student'] = $studID;
Header("Location: http://www.whereever.com/"); // send the browser where you want
exit();
}
?>
EDIT:
I went over the other answers. I assume you check for mysql injection properly. I recommend implementing AJAX AFTER everything works and is secure. The idea behind my solution was to solve the problem as simple as possible. If you want to make something fancy out of it you could:
generate the whole form via php and tell the user in the input field, that the id wasn't found
tell your Javascript to present the information in some fancy way
Use AJAX. Everybody loves forms with AJAX.
You could, as suggested, assume that the user entered a valid id. You would check on the "whereever" page wether the id is actually valid. If it weren't, you would simply send the user back to the form and tell the php to output an error message (maybe via get). This possibility is not usual, I am not sure if it has any advantages.
the mysql_num_rows hint is nice, too, if you don't want any data from the user. I thought you wanted to do something with the data because of the SELECT *.
Make a seperate controller that does the checking of the username.
Use ajax to check if user input is valid or not.
So you'll have something like this:
<input id="stud" onchange="checkStudentId(this)" />
<script>
function checkStudentId(inputElement) {
var id = inputElement.value();
$.ajax({
url: "test.html",
context: {id:id}
}).done(function() {
// Check the return result
});
}
</script>
Here is a reference to jquery ajax
http://api.jquery.com/jQuery.ajax/
You actually have to connect to the server in some fashion to figure out of the student exists. What you'd normally do in this situation is submit the form to the server and do validation server-side. If the student exists, you return the "next" page. If the student doesn't exist, then you return (or redirect to using a Location header) the same form again with an error message.
Another popular method would be to use an AJAX request to check asynchronously (which I see many other people are recommending). I'd only recommend this way if you're actually doing validation right as they've finished entering the student id and are showing an error message in real-time, effectively. In this way, AJAX is a nice-to-have to provide quick user feedback, but not a real solution. Keep in mind that regardless of this, you need to check for and handle this when the form is submitted anyway, or at the least, consider what will happen when the form is submitted with an invalid id.
People can bypass this check (EVERY request from the client side is considered hostile, you can't implicitly trust anything)
Another user may have deleted the student ID between the time the check was done and the form was submitted
There could be an error in your code that causes validation to falsely pass or not to recognize a negative response
Doing AJAX onsubmit makes no sense, because effectively you're doubling the amount of work by making the server handle two separate requests in a row. It's simply the wrong answer to the problem.
The biggest trouble with this implementation is the PHP code can quickly get quite hairy and hard to follow as you have everything mixed together.
This is where you probably start to tip over using PHP like a templating language (mixed php code and html markup) and start getting into using a framework where your views (the HTML) are decoupled from your PHP code (if you're using the very-populate MVC pattern, this code is called your controller -- precisely because it controls how the server responds). This is how any professional developer will work. Kohana, CakePHP, and Zend are all examples of fairly popular MVC frameworks, all of which are used professionally.
You can do this in two different ways
AJAX - make ajax call to your server and check the ID if its exist display the error else go to the next page
PHP - put a hidden input in your form and make the action of the form to the same page and check everything their and keep the values of the input fields is the $_POST['field_name'];
And you can make the action into another page and return back variable or make a session to hold the error message
Try this:
<?
if(isset($_POST['stud'])){
$studID = $_POST['stud'];
$module2 = $_SESSION['module'];
$ex = $_POST['exer'];
$studerr = array();
$host="hostname";//your db host
$user="user";//your db user
$pass="pass";//your db pass
$conn=mysql_connect($host,$user,$pass);
$sql = 'SELECT * FROM `student`, `modules` WHERE `studentID` = '.$studID.' AND `moduleCode` = '.$_SESSION['module'];
$result = mysql_query ($sql,$conn);
if(mysql_num_rows($result)>0){//the id was found in the DB, do whatever here...
echo $_SESSION['module'];
$_SESSION['student'] = $studID;
Header("Location: http://www.whereever.com/");//redirect to wherever
$error=false;
}
else{//id was not found
$error=true;}
}//end of isset
?>
<? if($error===true){?> <div> The id was not found.... </div> <?}?>
<form id = "form" action = "<? echo $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']; ?>" method = "post">
<br>
Mark for:
<INPUT id="stud" onkeypress="return isNumberKey(event)" type="text" name="stud" value="Enter Student Number">
<input type="submit" value = 'Continue'>
So what this does is: When the user hits submit, conects to the DB, and checks if the ID exists...if it does, then it redirects it to wherever.com (see comments) and if it don't an error messege will show up. Be sure to change the db variable values to your own ($host, $user, $pass).
Currently I have a file called "hits.php" and on any page I want to track page hits I just use <?php include("hits.php"); ?>
How can I track unique visitors only though? My hits are false since it can be refreshed by the same person and hits go up.
Here's my source:
<?php
$hits = file_get_contents("./client/hits.txt");
$hits = $hits + 1;
$handle = fopen("./client/hits.txt", "w");
fwrite($handle, $hits);
fclose($handle);
print $hits;
?>
I don't really know how I could do cookie checking... is there a way to check IP's? Or what can I do?
Thanks StackO.
The simplest method would be cookie checking.
A better way would be to create an SQL database and assign the IP address as the primary key. Then whenever a user visits, you would insert that IP into the database.
Create a function included on all pages that checks for $_SESSION['logged'] which you can assign whatever 'flag' you want.
If $_SESSION['logged'] returns 'false' then insert their IP address into the MySQL database.
Set $_SESSION['logged'] to 'true' so you don't waste resources logging the IP multiple times.
Note: When creating the MySQL table, assign the IP address' field as the key.
<?php
session_start();
if (!$_SESSION['status']) {
$connection = mysql_connect("localhost", "user", "password");
mysql_select_db("ip_log", $connection);
$ip = $_SERVER['REMOTE_ADDR'];
mysql_query("INSERT INTO `database`.`table` (IP) VALUES ('$ip')");
mysql_close($connection);
$_SESSION['status'] = true;
}
?>
There isn't a perfect solution, but the first two methods (IP address and/or cookies) are the most reliable, and a combination might be even better.
Rather than reinventing the wheel I used an off the shelf solution. For commercial reasons I avoided Google Analytics (I don't want Google to know my web stats - their best interests are not mine). They're probably fine for non-commercial websites, or if you don't use Google for advertising. There are also dozens of alternatives. Eg I use Getclicky.com
At a basic level, you can get the client's IP address by using the PHP $_SERVER['REMOTE_ADDR'] property
Consider setting a cookie or using a session, though this can be defeated by deletion of a cookie or cookie rejection. See the PHP setcookie docs for more info.
There are other methods for browser fingerprinting - check out all the different data you could conceivably use at https://coveryourtracks.eff.org/
How about google analytics if you cant. you could do a database or create another file with the IPs in it, but it could get complicated with a flat file like that.
I found the solution of very poor quality and just a quick and dirty way of doing it.
I too was developing something similar and formulated a quick method which works without redundancy.
I needed a counter for every time someone accessed another user's profile.
Pseudo:
Create a table with viewer's name and viewee's name (daily_views table).
Check to see if exists the viewer's name with the viewee's name (on the same row).
If they do not exist, update user counter +1 (in users table).
Else do nothing.
Reset entire table values null every 24/12 hours via cron job.
This will deny the same person accessing the same user profile to add 1 to the
counter on refresh for the whole day (or 12 hours) whereas the above solution
by Glenn Nelson would indeed add 1 to the counter, but deny adding to every
user's counter at the same time.
Not only this, but if you were to logoff and log back in to the website, then
it would simply re-add to the counter in which some cases trolls and haxorz
wannabe's will exploit this (as the session is destroyed and started again).
Here are my sample tables:
users
{
user_id INT(8) auto increment, user_name varchar(32), user_counter INT(12)
};
daily_views
{
view_id INT(8) auto increment, viewer_name VARCHAR(32), viewee_name VARCHAR(32)
};
Here is sample code I've written:
<?php
session_start();
$uname = $_SESSION['username'];
$vieweepage = $_GET['name']; //gets the name of the persons page/profile via previous page/form
$connect = mysql_connect("localhost","user","password") or die("Couldn't connect; check your mysql_connect() settings");
$database = mysql_select_db("database") or die("Could not locate database!");
$query = mysql_query("SELECT user_counter from users");
$query = mysql_fetch_row($query);
$counter = $query[0];
$viewcheck = mysql_query("SELECT viewer_name from daily_views WHERE viewee_name='$vieweepage'");
$viewrow = mysql_num_rows($viewcheck);
$newcounter = $counter + 1;
if($viewrow == 0)
{
$update = mysql_query("UPDATE users SET user_counter='$newcounter' WHERE user_name='$vieweepage'");
$insert = mysql_query("INSERT into daily_views (viewer_name, viewee_name) VALUES ('$uname', '$vieweepage')");
}
?>
currently i am using remote address and session ID for visitor.i think its valid visitor because a single user can visit no of times in a days and counter not depends on refresh its only depends on new session.
You could save a timestamp to localStoage in javascript. LocalStoage isn't removed by the browser, so you should be save to check against that. I know that it isn't serverside checking, but it may be helpful anyway.