deny access to data(a video) when hitting back button on browser - php

Im doing a quiz (php and mysql) for some students, the quiz is based on a video they have to watch..
the order is this..
1)they enter a unique web page for every user
2)access a page with a video for the user to watch...
3)on the bottom of the page there's a button "Answer Quiz"
4)When they click the button, they are send to a page with the quiz
Here's where the problem happens, i want to prevent the user from watching the video again, but when they hit the back button, well there's the video again for them to watch
im blocking the video in a video table in mysql db, but the video is cached or something, so this is not the approach of preventing the user to watch the video again when hitting the back button...
.
any ideas of how to achieve this??
any help appreciated......

Checking from your latest comment, I would assume that you have a table, expired_quizzes with at least three columns, quiz_id, quiz_filename and the boolean is_active. I would also normalize the table to a userid as well, so if user A views it and takes the quiz, user B can still see the video (makes cheating with a friend easier, though). It is hard to know exactly what is going on without seeing any code or structure, but try checking a couple of these things:
If you look up the quiz based upon a search, and the webpage uses a variable $_GET, then anytime the webpage is visited, it will always load the quiz. So considering:
http//www.yourwebpage.com/?quizfilename=viewablequiz.mp4
Depending upon your PHP instructions, it will always load viewablequiz.mp4. There are two recommendations to prevent it.
Don't load $_GET['quizfilename']. Rather load $_GET['quizid'] and recall the filename from the query with additional search parameters, such as:
'SELECT * FROM expired_quizzes
WHERE quiz_id='{$_GET['quizid']}' AND is_active=1
LIMIT 1;'
Then, return row['filename'] in your PHP code, or handle with a response to the user if no results are found (no unexpired quizzes).
Load the video via AJAX. Use a similar query on the PHP side as mentioned above, but since it requires a look-up after loading, a refresh of the screen will not load anything.
To prevent cheating, you should probably also have another table which records every time the video is viewed, with a timestamp and userid. It can help detect a cheating attempt later by seeing who was testing and viewing at the same time.
Of course, always protect against SQL injection and don't put user input directly into the SQL statement.
For a more detailed analysis, you should post just the relevant PHP, HTML and SQL within the question.

Related

The most efficient way to handle visitor/user statistics that I want to catch and display?

I am building a link directory style web application. For simplicity all of the following are examples. On my website I have 10 categories. Each category has it's own page and each page has 100 links in a table format. Each link has many columns like name, id, url, etc but the focus of this question deals with the "time last viewed" column. It will display a default text if the user/visitor has never clicked the link however if the link has been clicked by the user prior to the visit it will display the time/date the user last visited that link.
The way I have it set up is when the user clicks the link they are sent to another page/script (using GET method. link 1 is appended with ?rid=1) I use a switch contruct. (Case value is 1 from $_GET execute code block) this code block is where i need the user statistics caputuring to happen. Once the function runs and both captures and stores the visit statistics info the user is sent to the requested resource via header location. So the next time to user sees the list of links on the category page the link they visited will now display the time they visited it.
On my production site i have up to 1000 links. If they clicked each link it would say next to each link the last time they clicked it. Important to include users will be logged in when clicking each link.
How would you go about doing this? Store the info in a cookie or in the database? As there are 1000 links there could be 1000 different values. Thanks in advance.
It isn't a lot of data so you can do both, store in the database as well as store in a cookie. Ideally for performance, you should retrieve from the cookie first and then retrieve from the database if the cookie doesn't contain any user information pertaining to that link. Depending on your performance requirements and the amount of traffic you anticipate, you can use database storage, in-memory storage and asynchronous updates.
database updates are instant but can impact overall performance and page load times
in-memory caching such as apc gives best performance but data needs to be synchronised to the database
asynchronous updates are great for balancing out performance hits because you can register a view from the client side using JavaScript after the page has loaded, rather than during php execution on server side.
Personally I would use all 3 if possible because it gives a good platform for future development.

How do I make SQL changes without leaving the page?

I have a page which lists out book reviews which are pulled from an SQL database, and listed out in a loop with PHP.
The text of some of the reviews may contain "spoilers" (meaning the review reveals plot points and may "ruin the surprise" for would-be readers.)
I want to have a link/button which a reader clicks, saying "This Review Contains Spoilers". When they click it, there's a field in the SQL record for that review, which gets incremented. But, without leaving the page, as the viewer will continue reading the reviews.
You need to make use of Ajax, exactly of XMLHttpRequest (abbr.: XHR). jQuery is a good framework that has cross-browser support for the different XMLHttpRequest calls. With this technique you could send a http request to a server at any time on the loaded page you want. E. g. when the user clicks the spoiler. For more information about it see here: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest For more information about jQuery please see here: http://www.jquery.com

How to avoid some SQL queries in PHP?

I am developing a PHP web app with jQuery and Twitter Bootstrap. And it uses AJAX for everything. So, I show a form in HTML5, the user press a button (class="btn"), the form is sent to PHP (jQuery, AJAX), PHP makes a query to the MySQL and echoes an answer, which is shown in the form (jQuery). This is basically how the web app works.
But here's the deal, the first form it is showed, it's a div that shows some news. For example:
A new user was created.
There is new important date.
Someone wants to text you.
So I've created a table in MySQL called News where I saved some values than mean something like:
1: A new user was created
...
Everytime the user log in will se that. It means that there will be a query and a response as soon as the HTML5 get loaded when a user log in.
The index.html file has a navbar (Bootstrap), and a option call News. When the user clicks it, the same query will be executed, but not necessarily the same response.
I thought in modifying the div with news whenever the user does an action. But, an action can also be done by another user. So it is necessary to make the query again!
Is there any solution that allows me to avoid querying the database when the user wants to get the news? Or how can I know that it is necessary to update the div right now? I was taking a look at caching queries but didn't arrive to a conclution.
Sorry if my english is not too good, it is not my native language.
Thank you.
You can send a timestamp in every news response from the server and save it in javascript. The next time you make a request, send the timestamp you saved and the server checks if there are more recent news, sending nothing if there is none as the last response is still the newest.
Well, there is a downside here, you still need to make a query to the database (filtring the results with a WHERE clause like 'WHERE ... TIMESTAMP > last_timestamp_from_browser') which is perfectly valid, SGBDs are designed for this, and if you don't have thousands of users accessing your website at the same time there will not be any problem. With this approach you will only save bandwitdh as the connection to the database is still made.
There is another way that prevents this connection from being made, cache some values of last news inserted which could be user specific or global and save them in APC module (or memcached). You'll need to discover what to cache and when (you can't cache the entire database, just some well organized timestamps and maybe the most requested news for example). This way you prevent the database connection from being made. This will force you to do many many more code, so, use it only if you really need it, like thousands of user connections at once.

How can I pass variables in PHP from the same page?....logical thinking puzzle

so I've hit a potential problem in my site....it's a post-based system, with the posts being in text files. Uses some Javascript and a lot of PHP.
When you make a submission on the form on the homepage, you are sent to a page where data is posted and processed, but you don't see it because you get redirected back. Then the homepage is changed based on what the post you made says. All that was working fine.
But now I'm trying to add a new feature that modifies the post you made, based on a button you hit which submits a hidden form using javascript, and sends to another process and redirect page you don't see, and it works fine until the block that I realized today. I don't know how to specify that the post being altered is the right one.
I anticipate a good amount of users of this site, so my concern is what if user X makes a post while user Y is making a post, and the post of user X becomes the top post, so user Y's options actually change user X's post.....
I was thinking of adding to the main processing page (the one that happens when you first submit) a COOKIE or something that would make note of the number of the line that post will become, by counting the number of the lines in that file at the time and adding 1 to it. Then checking it against the user's number (each user has a number) to see if it's that user's most recent post....but the problem is I don't know how I would pass that value around to be read in the next page.
Setting a COOKIE is out I think because the page both redirects, AND reads and writes to files. The only output to the page though are currently var_dumps.
POST/GET is out because to my knowledge the user would have to do SOMETHING to submit it, and the user's not even going to see the page.
Writing to a file would be messy if lots of users are trying to get their own data.
I think what I may be looking for is SESSION variables...but I don't know anything about those except that they're used to login to pages, and this site has no login.
To make things more fun, when a user posts the same content within a minute of another user, the first user's post is replaced and it gets a little +1 next to it...which makes it harder to check it against the user's number....
AND in the end I'm trying to use AJAX (which I dont know yet) to make the updates in real-time...now THAT is going to suck. But for now I'm worried about my static little site.
Baby steps.
Any ideas how to go about this??
Use Session variables, just as you have alluded. They aren't just used by login pages, they are used by everything. Sessions are the equivalent of server-side cookies / server-side storage, so you don't have to worry (as much) about your users tampering with them.
If you want to make life more difficult for yourself, you can json encode your variables and store them as an object in a database or even flat text file. But really, read up on sessions.
All you need to know is session_start(); before anything else then $_SESSION['var']=$yourvar; to save data and $_SESSION['yourvar'] to retrieve it later (such as on another page).

What's the safest way to remove data from mysql? (PHP/Mysql)

I want to allow users as well as me(the admin) to delete data in mysql.
I used to have remove.php that would get $_GETs from whatever that needed to be deleted such as... remove.php?action=post&posting_id=2. But I learned that anyone can simply abuse it and delete all my data.
So what's the safest way for users and me to delete information without getting all crazy and hard? I am only a beginner :)
I'm not sure if I can use POSTs because there is no forms and the data isn't changing.
Is sessions good? Or would there be too many with postings, user information, comments, etc.
Ex: James wants to delete one of his postings(it is posting_id=5). So he clicks the remove link and that takes him to remove.php?action=post&posting_id=5.
EDIT: Alright, so now I am a little confused. While I can't be 100% secure, how do I do this with $_POSTs?
SOO I should use GETs to get all the data to remove.php, THEN have a confirmation submit button and when users click on it, it put all the data into POSTs and delete from the dbc?
Deleting records is a kind of a scary practice. If you or someone makes a mistake there's no real recourse to resolve the issue. Expunged records are very hard to resurrect.
Instead of deleting records, you could add an "active" bit (e.g. Boolean) column that is toggled off when users "delete" records. Essentially your users would be suspending records by toggling them off and the records would be saved in case mistakes or abuse but appear "deleted" to the user. To make this work with your other queries, just add a where clause of active = 1.
You could then have a utility script that's run at some specific date interval that would clean out deprecated, past dated records. You'd also need some type of timestamp for this type of maintenance.
Just a thought. Take if for what it's worth.
I'll echo gurun8 in preferring to 'mark' records as deleted, instead of actually removing data. And then obviously, you'll need to check that the authenticated user has permission to delete the post.
However, it seems very important to mention that $_GET is not safe even with authentication because of cross-site request forgery.
Imagine if Amazon adding things to your cart based on a GET request. All I'd have to do is put an image on my page with that URL, and everyone who visited that page and logged into Amazon will have products added automatically.
To match your example, I don't like Jame's post, so i put an image on my site like this:
<img src='http://example.com/remove.php?action=post&posting_id=5'>
And I send him a link to my page, and ask him to check it out, hoping that at the time he's logged in to your site. Because, of course, he clicked that little 'keep me logged in' button.
So you are right to be concerned about using GET. If you don't want to litter pages with forms, then confirm the action by POST.
Well you have to start by authenticating the users with a login script.
If you want the simplest solution possible, then I'd suggest protecting the directory in which you have remove.php with a simple .htaccess username and password.
If different users have different rights for deleting database entries, then you probably should create a PHP login script and use PHP session.
Bonk me if I'm stupid, but I searched for quite some time for a simple PHP login tutorial that could be placed on a real site (doesn't use session_register(), uses mysql_real_escape_string(), htmlspecialchars() etc) and I simply couldn't find one!
Probably this one comes the closest, you just have to replace session_register() variables with $_SESSION ones for it to work without register_globals (default in PHP5).

Categories