Re: Checking Post Data against DB Data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Doing a select to get every record, and then looping through them all,
concatenating a bunch of stuff together, and then using PHP to test ==
is not very efficient...

Why not just:

$sql = array_map('mysql_real_insert_string', $POST);
$query = " select count(*) from central ";
$query .= " where conName = $sql[conName] ";
$query .= "   and conAddress = $sql[conAddress] ";
.
.
.
$query .= "   and SOME_DATETIME_FIELD_WHEN_THEY_REGISTERED >=
date_sub(now(), interval 1 day) ";

Also note that your are currently comparing the $_POST['timeStamp']
which is *probably* generated at the time the HTML form was sent with
time(); which is when the script is processing, which will be MUCH
less than one day, unless a user opens up the form, walks away for 24
hours, and then comes back to complete registration...

You need a field in the database from previous registration to compare
to time().

Also note that, in general, it's very very very easy to subvert this
by simply changing non-essential data in the input.

E.g., I live at:

6112 N Wolcott
6112 North Wolcott
6112 N. Wolcott
6112 N Wolcott Ave
.
.
.
I could easily register 20 times a day, if I like, and you'd never
catch it.

So, given all that, and given what you are TRYING to do, I'd suggest
just going on their PHONE number, and requiring a valid phone number
to "win" or JUST going on their email address and requiring a valid
email.

It all depends how serious you are about the 1 per day rule, though...

On Tue, July 10, 2007 9:55 am, kvigor wrote:
> /*Good Morning to All,
>
> I am having an issue with the following code.  I'm trying to match
> $newRegistrant(which is concatenated form data) with
> $oldRegistrant(which is
> concatenated DB data).  The code is suppose to check if the
> Registrants
> match, if they do, then check if last registration was less than 24hrs
> ago,
> if it is it sets $FLAG to 1
> and throws and error at the user.
>
> Problem is the follow code only displays the error message from the
> "//unknown check" section, and not the //central check section.  I
> know the
> code is virtually identical except for the table it's pulling data
> from.
> POST data has been mysql escaped. And form is submitted twice w/same
> info
> and no FLAG/error message*/
> //I hope this helps.  Because I NEED HELP :-(
>
> <?php  include("dbconnection.php"); $_POST['timeStamp'] = date("Y-m-d
> h:i:s"); $timeStamp = $_POST['timeStamp'];
> //========================================FORMATTING FROM
> DATA=============================================
> if(isset($_POST['submit']))
> {
>  $_POST['conName'] = strtoupper($_POST['conName']);
> $_POST['conAddress'] =
> strtoupper($_POST['conAddress']);
>  $_POST['conCity'] = strtoupper($_POST['conCity']); $_POST['conState']
> =
> strtoupper($_POST['conState']);
>  $_POST['conZip'] = strtoupper($_POST['conZip']); $_POST['conPhone'] =
> strtoupper($_POST['conPhone']);
>  $_POST['schName'] = strtoupper($_POST['schName']);
> $_POST['schAddress'] =
> strtoupper($_POST['schAddress']);
>  $_POST['schCity'] = strtoupper($_POST['schCity']); $_POST['schState']
> =
> strtoupper($_POST['schState']);
>  $_POST['schZip'] = strtoupper($_POST['schZip']); $_POST['strCity'] =
> strtoupper($_POST['strCity']);
>  $_POST['strState'] = strtoupper($_POST['strState']);
> $_POST['strName'] =
> strtoupper($_POST['strName']);
> }
> //========================================END FORMATTING FROM
> DATA==========================================
> //============================CHECKING TO SEE IF THE USER HAS
> REGISTERED IN
> LAST 24 HRS=====================
>
>  $newRegistrant =
> $_POST['conName'].$_POST['conAddress'].$_POST['conCity'].$_POST['conState'].$_POST['conPhone'].$_POST['schName'].$_POST['schCity'].$_POST['schState'].$_POST['strName'].$_POST['strCity'].$_POST['strState'];//NEW
> REGISTRANT
>  global $newRegistrant;
>
>  //Begin Central
> Check========================================================================================
>  $matchQuery_cen = "SELECT
> conName,conAddress,conCity,conState,conPhone,schName,schCity,schState,strName,strCity,strState
> FROM central";
>  $matchQueryResult_cen = mysql_query($matchQuery_cen,$connection) or
> die
> ("Query Failed".mysql_error());
>
>  while($matchrow_cen = mysql_fetch_assoc($matchQueryResult_cen))
>  { extract($matchrow_cen);
>   $oldRegistrant =
> $conName.$conAddress.$conCity.$conState.$conPhone.$schName.$schCity.$schState.$strName.$strCity.$strState;
>   $varStamp = $_POST['timeStamp']; //CURRENT DATE in MySQL DATETIME
> FORMAT
>   $varStamp = strtotime($varStamp); //CONVERT DATETIME FORMAT INTO
> MATHMATICAL DATA/UNIX-STAMP
>
>   $varStamp = $varStamp + '86400'; //STORED TIME OF REGISTRANT + 1 DAY
>
>   $currentTime = time(); // CURRENT DATE IN MATHMATICAL
> DATA/UNIX-STAMP
>
>   if($oldRegistrant == $newRegistrant && $currentTime < $varStamp )
>   {
>    $FLAG = 1;
>    global $FLAG;
>   }
>   else
>   {
>    $FLAG = 2;
>    global $FLAG;
>   }
>  }
> //End Century
> Check=========================================================================================
> //Unknown
> Check============================================================================================
>  $matchQuery_unk = "SELECT
> conName,conAddress,conCity,conState,conPhone,schName,schCity,schState,strName,strCity,strState
> FROM unknown";
>  $matchQueryResult_unk = mysql_query($matchQuery_unk,$connection) or
> die
> ("Query Failed".mysql_error());
>
>  while($matchrow_unk = mysql_fetch_assoc($matchQueryResult_unk))
>  { extract($matchrow_unk);
>   $oldRegistrant =
> $conName.$conAddress.$conCity.$conState.$conPhone.$schName.$schCity.$schState.$strName.$strCity.$strState;
>   $varStamp = $_POST['timeStamp']; //CURRENT DATE in MySQL DATETIME
> FORMAT
>   $varStamp = strtotime($varStamp); //CONVERT DATETIME FORMAT INTO
> MATHMATICAL DATA/UNIX-STAMP
>
>   $varStamp = $varStamp + '86400'; //STORED TIME OF REGISTRANT + 1 DAY
>
>   $currentTime = time(); // CURRENT DATE IN MATHMATICAL
> DATA/UNIX-STAMP
>
>   if($oldRegistrant == $newRegistrant && $currentTime < $varStamp )
>   {
>    $FLAG = 1;
>    global $FLAG;
>   }
>   else
>   {
>    $FLAG = 2;
>    global $FLAG;
>   }
>  }
>
> //END UNKNOWN
> CHECK====================================================================================
> //=========================END CHECKING TO SEE IF THE USER HAS
> REGISTERED IN
> LAST 24 HRS=====================
> ?>
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> <?php
> if($FLAG == 1)
> {
> echo " <div align= 'center' class ='ermess2'><br />*** SORRY ONLY 1
> REGISTRATION PER 24HRS. ***</div>";
> }
>
> else
> {
>        function trim_value(&$value)
>       {
>           $value = trim($value);
>       }
> //==========================================================================================================
>   $cen_foodlandPA = file('C:\htdocs\website\central_foodlandPA.txt');
>   array_walk($cen_foodlandPA, 'trim_value');
>   $cen_independents =
> file('C:\htdocs\website\central_independents.txt');
>   array_walk($cen_independents, 'trim_value');
> //==========================================================================================================
>
>   if(@sizeof($format) == 0 && @sizeof($blank_array) == 0 &&
> @sizeof($curse)
> == 0 && @sizeof($us_states) == 0 && @sizeof($phoneFormat) == 0 &&
> $FLAG ==
> 2)
>   {
>    echo "<div class = 'div_c_blu'>Thank You for Entering. Your Entry
> has
> been accepted!</div>
>    <br />";
>    echo "<div class = 'div_c_blu'> Click on logo to return to Main
> Page.</div>";
>    $greenLightForDBstorage = "go";
>    global $greenLightForDBstorage;
>   }
>
>   if(isset($_POST['strName'], $_POST['strCity'], $_POST['strState']))
>   {
>    $tab = " ";
>    $storeInfo =
> $_POST['strName'].$tab.$_POST['strCity'].$tab.$_POST['strState'];
>    global $storeInfo;
>   }
>
>   if(in_array($storeInfo, $cen_foodlandPA))
>   //if statement to check all other fields before record is set
>   {$queryCentral = "INSERT INTO central (conName, conAddress, conCity,
> conState, conZip, conPhone, schName, schAddress, schCity,
>     schState, schZip, strName, strCity, strState,varStamp)
> VALUES('$regName', '$regAddress', '$regCity', '$regState',
> '$regZip','$regPhone', '$sclName', '$sclAddress', '$sclCity',
> '$sclState',
> '$sclZip', '$stoName', '$stoCity', '$stoState','$timeStamp')"
>      ;
>
>    mysql_query($queryCentral, $connection) or die("Query failed: ".
> mysql_error($connection));
>   }
>
>   elseif(in_array($storeInfo, $cen_independents))
>   {
>    $queryCentral = "INSERT INTO central (conName, conAddress, conCity,
> conState, conZip, conPhone, schName, schAddress, schCity,
>     schState, schZip, strName, strCity, strState,varStamp)
> VALUES('$regName', '$regAddress', '$regCity', '$regState', '$regZip',
>      '$regPhone', '$sclName', '$sclAddress', '$sclCity', '$sclState',
> '$sclZip', '$stoName', '$stoCity', '$stoState','$timeStamp')"
>      ;
>
>    mysql_query($queryCentral, $connection) or die("Query failed: ".
> mysql_error($connection));
>   }
>
>   else
>   {
>   $queryUnknown = "INSERT INTO unknown (conName, conAddress, conCity,
> conState, conZip, conPhone, schName, schAddress, schCity,
>    schState, schZip, strName, strCity, strState,varStamp)
> VALUES('$regName',
> '$regAddress', '$regCity', '$regState', '$regZip',
>     '$regPhone', '$sclName', '$sclAddress', '$sclCity', '$sclState',
> '$sclZip', '$stoName', '$stoCity', '$stoState','$timeStamp')";
>     mysql_query($queryUnknown, $connection) or die("Query failed: ".
> mysql_error($connection));
>   }
>  }
> }
>
> ?>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux