Find Jobs
Hire Freelancers

432598 php mysql security cheat fix

N/A

In Progress
Posted over 13 years ago

N/A

Paid on delivery
Hello This is a repost so if you bid on the previous one then please rebid. Things didn't work out on the last project. I have a script that allows members to browse other members ads. It is suppose to check and if the user has viewed it once before not to give them credit for viewing it again. Which this part works. The problem is that there is a way around this that allows people to use autoclicking software to rack up points. I need it locked down where the members can't get around it. Here is how it normally works. Members go to a page [login to view URL], this page displays 3 ads at a time. As soon as the page is loaded it inserts those 3 ads in the database as viewed not paid(no points earned). If the member clicks on the ad link [login to view URL] It checks to see if it is a good ad post $id = $_GET['id']; $result = mysql_query("SELECT * FROM `post` WHERE id = '".$id."' LIMIT 1"); If the ad post exist then it checks to make sure that the user has viewed it from the browsead page If the member has viewed and received points before it gives a message You have already received credit for this link If the member hasn't viewed and received points before then it goes to the next stage [login to view URL] which sets a timer Then when the timer runs out it goes to the 3rd stage [login to view URL] Checks to make sure ad exist $id = $_GET['id']; $query = "select * from post where id = '".$id."' LIMIT 1"; If ad exist checks to make sure they have viewed it from browsead page If they viewed and earned points they get the already viewed message, if they haven't they earn credits for viewing it then it proceeds. so basically just for loading the page [login to view URL] the 3 ads get inserted into the viewed table as viewed.(that way they don't see the ad again) $queryadtolist="insert into viewed (userid, postid) values ('$userid','$postid')"; $resultadtolist=mysql_query($queryadtolist); But if they click on the ad they earn points for it and it is marked as paid mysql_query("UPDATE viewed SET paid = '1' WHERE userid='".$userid."' and postid=".$id); Somehow someone has figured out how to get around the checks and just put the url on a autorefreshing script and continually earn points. I'm not exactly sure which url they are using, it could be [login to view URL] or [login to view URL] They open the ad link with [login to view URL] and then the [login to view URL] loads with the timer in the frame and then [login to view URL] to finish it up. I did find on another ad type that they got around it by opening the last fram in a browser but I haven't been able to duplicate how they are doing this one. I would like someone that can take the attached files(4 files + database structure) read the code, understand how it works and come up with a fix. You don't need to try and impress me by telling me the script coding sucks, I already know that, thats why I'm here. If you can fix it just submit your bid. You won't get access to the server so be sure you can do this with just the attached files. All payments made via escrow.
Project ID: 2178470

About the project

Remote project
Active 12 yrs ago

Looking to make some money?

Benefits of bidding on Freelancer

Set your budget and timeframe
Get paid for your work
Outline your proposal
It's free to sign up and bid on jobs

About the client

Flag of UNITED STATES
Hollister, United States
5.0
50
Payment method verified
Member since Jul 3, 2008

Client Verification

Thanks! We’ve emailed you a link to claim your free credit.
Something went wrong while sending your email. Please try again.
Registered Users Total Jobs Posted
Freelancer ® is a registered Trademark of Freelancer Technology Pty Limited (ACN 142 189 759)
Copyright © 2024 Freelancer Technology Pty Limited (ACN 142 189 759)
Loading preview
Permission granted for Geolocation.
Your login session has expired and you have been logged out. Please log in again.