Gotta love the unreliable, Seeking Account Creation help

fkeck · July 2, 2011, 6:13am

Hello everyone. i run a small web community of about 300 active members. Most everything is made from either code/examples released by others or by who used to be my developer.

Sadly, I dont know much of anything about either PHP, or the MSSQL server we use, and my developer has gone MIA.

As of late, we have been trying to run an event within our community in which members are awarded points that can be spent on virtual items, for every 25 votes they make for our community. Sounds easy, right? Once we get another 25 votes, a simple SQL query to add the points value to their existing points. Done.

Well, I figured that part out after my dev ran off on me. However, I face a bigger problem. I now have many members abusing the system we have now by creating account after account after account to receive the points on numerous accounts.

Basically, what I was wondering (and can not find after a few days of searching and some horrid code attempts of my own), is this: is there a way to add just a bit of code to my already existing account creation script that will check for pre-existing IP addresses, and reject the account creation if there are more than say…5 accounts?

I know IP restrictions can cause additional issue, such as numerous users at the same location. However, it is much more effective than limiting account creation to one account per email. With the mass array of free email options out there, it takes but a minute to get a new email.

I am…learning, SQL and PHP now that I have no choice, but I have learnt very little thus far, so please bare with me if I am asking a bit much for a nub like myself. Usually, I would prefer wto do it all the hard way, but my dev left me in a bit of a rough spot.

Any ideas, example, suggestions, or nudges in the proper direction will be greatly appreciated. Thank you.

-Frank

rygotype · July 2, 2011, 4:59pm

You need to search through your Usernames table in your database, check the IP column. Then follow it up with a simple if statement. If >= 5 … Die or redirect… Else continue account registration.

fkeck · July 2, 2011, 9:51pm

Would something along these lines do the job?

// Validate user name.
$result = @mssql_query(“SELECT UserID, UserIp FROM PS_Users.dbo.Users_Detail WHERE UserID = ‘{$username}’ AND UserIp = ‘{$userip}’”) or die(‘Failed to verify, as the provided user named already exists.’);
if(empty($username)){
$errors[] = ‘Please provide a user name.’;
}else if(strlen($username) < 3 || strlen($username) > 16){
$errors[] = ‘User name must be between 3 and 16 characters in length.’;
}else if(ctype_alnum($username) === false){
$errors[] = ‘User name must consist of numbers and letters only.’;
}else if(mssql_num_rows($result)){
$errors[] = ‘User name already exists, please choose a different user name.’;
}
//Check for number of accounts
if ($UserIp > 5) {
$errors[] = ‘You have too many accounts assigned to your IP address.’;
}
// Validate user password.
if(empty($password)){
$errors[] = ‘Please provide a password.’;
}else if(strlen($password) < 3 || strlen($password) > 16){
$errors[] = ‘Password must be between 3 and 16 characters in length.’;
}else if($password != $password2){
$errors[] = ‘Passwords do not match.’;
}

Forgive me if this is nowhere near what it should be, as I said, I am trying to force myself to learn this little bit much faster than I should be. And thank you for the bit of info thus far.

-Frank

lothop · July 3, 2011, 7:20am

I know IP restrictions can cause additional issue, such as numerous users at the same location. However, it is much more effective than limiting account creation to one account per email. With the mass array of free email options out there, it takes but a minute to get a new email.

This will only be more effective if people have static IP addresses.

rygotype · July 4, 2011, 5:19pm

This is still a good precaution to take.

rygotype · July 4, 2011, 5:33pm

Frank,

Try this out… It should be what you need. Changed your query to get the number of accounts matching the IP.

$result = @mssql_query(“SELECT UserID FROM PS_Users.dbo.Users_Detail WHERE UserID = ‘{$username}’”) or die(‘Failed to verify, as the provided user named already exists.’);
$result2 = @mssql_query(“SELECT UserIp FROM PS_Users.dbo.Users_Detail WHERE UserIp = ‘{$userip}’”) or die(‘Failed to verify, as the provided user named already exists.’);
$accts = mssql_num_rows($result2);
//Check for number of accounts
if ($accts >= 5) {
$errors[] = ‘You have too many accounts assigned to your IP address.’;
}
if(empty($username)){
$errors[] = ‘Please provide a user name.’;
}else if(strlen($username) < 3 || strlen($username) > 16){
$errors[] = ‘User name must be between 3 and 16 characters in length.’;
}else if(ctype_alnum($username) === false){
$errors[] = ‘User name must consist of numbers and letters only.’;
}else if(mssql_num_rows($result)){
$errors[] = ‘User name already exists, please choose a different user name.’;
}
// Validate user password.
if(empty($password)){
$errors[] = ‘Please provide a password.’;
}else if(strlen($password) < 3 || strlen($password) > 16){
$errors[] = ‘Password must be between 3 and 16 characters in length.’;
}else if($password != $password2){
$errors[] = ‘Passwords do not match.’;
}

lothop · July 5, 2011, 1:12am

I just don’t think it is a good thing to rely on at all as a much higher percentage of people have dynamic IP’s
Domestic users are always assigned dynamic IP addresses unless they have good reason to request otherwise and want to pay the cost.
Most companies will also use a dynamic IP address unless they wish to set up a VPN or a web server with a fixed IP.
So to get a new IP they could either wait a day, or reset their connection.
I know I’m not offering an alternative and it won’t do any harm having it in, but I just think another step should be put in place to stop users abusing it.

fkeck · July 6, 2011, 11:11am

rygotype:

Frank,

Try this out… It should be what you need. Changed your query to get the number of accounts matching the IP.

$result = @mssql_query(“SELECT UserID FROM PS_Users.dbo.Users_Detail WHERE UserID = ‘{$username}’”) or die(‘Failed to verify, as the provided user named already exists.’);
$result2 = @mssql_query(“SELECT UserIp FROM PS_Users.dbo.Users_Detail WHERE UserIp = ‘{$userip}’”) or die(‘Failed to verify, as the provided user named already exists.’);
$accts = mssql_num_rows($result2);
//Check for number of accounts
if ($accts >= 5) {
$errors[] = ‘You have too many accounts assigned to your IP address.’;
}
if(empty($username)){
$errors[] = ‘Please provide a user name.’;
}else if(strlen($username) < 3 || strlen($username) > 16){
$errors[] = ‘User name must be between 3 and 16 characters in length.’;
}else if(ctype_alnum($username) === false){
$errors[] = ‘User name must consist of numbers and letters only.’;
}else if(mssql_num_rows($result)){
$errors[] = ‘User name already exists, please choose a different user name.’;
}
// Validate user password.
if(empty($password)){
$errors[] = ‘Please provide a password.’;
}else if(strlen($password) < 3 || strlen($password) > 16){
$errors[] = ‘Password must be between 3 and 16 characters in length.’;
}else if($password != $password2){
$errors[] = ‘Passwords do not match.’;
}

I did give this a shot, however, unfortunately, I had the same issue as I had when trying to make the changes on my own. it created the account anyway.

Yes, I know that most have dynamic IP addresses, it is merely a precaution, I dont expect it to be iron-clad.

More on note, however, I do not have a dybnamic IP. My IP has not changed sicne the day I got my net, which I what I have been using to test this before putting it on the web server. In other words, I know I have more than 5 accounts to my own IP at the moment

I do appreciate the help and suggestions thus far. I am willing to post my entire .php if need be. Minus the server details, of course

lothop · July 6, 2011, 1:10pm

How are you storing the IP addresses? What table field stores the IP addresses?
Seems to me like it isn’t checking the IP in the database.

Store the IP’s as $userip = $_SERVER[‘REMOTE_ADDR’];
Then if
[php]$amount = count($result2);
if($amount >5){
error; }[/php]

fkeck · July 7, 2011, 12:58am

I will give this a shot as soon as I am hom form work, and let you know if it works. But to answer the question, it is current stored in a field labeled as simply UserIp, and it is the $_Server[‘REMOTE_ADDR’] being used to call the info during registration.

Just in case the above does not work, I will add a bit more code here to give a better idea. Once more, thank you all so far for your help, especially on what should be an easy task for most even semi familiar with SQL and PHP.

The help is greatly appreciated. You guys truly are great

<?php
require_once('recaptchalib.config.php');
require_once('recaptchalib.php');
require_once('db.config.php');

$user_ip = $_SERVER['REMOTE_ADDR'];
$username = isset($_POST['username']) ? mssql_escape_string(trim($_POST['username'])) : '';
$password = isset($_POST['password']) ? mssql_escape_string(trim($_POST['password'])) : '';
$password2 = isset($_POST['password2']) ? mssql_escape_string(trim($_POST['password2'])) : '';
$errors = array();
$success = false;
if(isset($_POST) && !empty($_POST)){
	require_once('db.php');
	
	// Validate user name.
	$result = @mssql_query("SELECT UserID FROM PS_User.dbo.Users_Detail WHERE UserID = '{$username}'") or die('Failed to verify is the provided user named already exists.');
	if(empty($username)){
		$errors[] = 'Please provide a user name.';
	}else if(strlen($username) < 3 || strlen($username) > 16){
		$errors[] = 'User name must be between 3 and 16 characters in length.';
	}else if(ctype_alnum($username) === false){
		$errors[] = 'User name must consist of numbers and letters only.';
	}else if(mssql_num_rows($result)){
		$errors[] = 'User name already exists, please choose a different user name.';
	}

	// Validate user password.
	if(empty($password)){
		$errors[] = 'Please provide a password.';
	}else if(strlen($password) < 3 || strlen($password) > 16){
		$errors[] = 'Password must be between 3 and 16 characters in length.';
	}else if($password != $password2){
		$errors[] = 'Passwords do not match.';
	}
	// Validate reCAPTCHA.  This is to prevent someone botting account creation.
	$response = recaptcha_check_answer($recaptcha_private_key,$_SERVER['REMOTE_ADDR'],$_POST['recaptcha_challenge_field'],$_POST['recaptcha_response_field']);
	if(!$response->is_valid){
		if($response->error == 'incorrect-captcha-sol'){
			$errors['recaptcha'] = 'Incorrect answer to reCAPTCHA';
		}else{
			$errors['recaptcha'] = $response->error;
		}
	}

That is everything up to the point where the info is persisted onto the database, providing there are no errors. We store the actual connection info in a seperate php file, just in case anyone is wondering why the connection strings are missing.

But, yeah, the IP address is stored in a table column named “UserIp”. which currently is not in the SELECT, as there was no check for it before, other than when it comes to actually inserting the IP into the table for the first time after the error checks shown above.

Though, most of you can more than likely catch on to that quicker than I did, lol. I love feeling nub again :-[

lothop · July 7, 2011, 3:26am

This should work.
[php] // Check IP Address count.
$result = @mssql_query(“SELECT UserID FROM PS_User.dbo.Users_Detail WHERE UserID = ‘{$user_ip}’”);
$amount = count($result);
if($amount > 5){
$errors[] = ‘You have created too many accounts.’; }

// Validate user password.
if(empty($password)){
	$errors[] = 'Please provide a password.';
}else if(strlen($password) < 3 || strlen($password) > 16){
	$errors[] = 'Password must be between 3 and 16 characters in length.';
}else if($password != $password2){
	$errors[] = 'Passwords do not match.';
}[/php]

If it doesn’t it may just need a bit of tweaking to fit your system.