On 01-01-2012 20:08, Ashley Sheridan wrote:
On Sun, 2012-01-01 at 11:49 -0500, Tedd Sperling wrote:
On Jan 1, 2012, at 11:26 AM, muad shibani wrote:
I have a website that posts the most important news according to the number
of clicks to that news
the question is : what is the best way to prevent multiple clicks from the
same visitor?
Not a fool-proof method, but use Javascript on the client-side to stop users'
from continuous clicking.
Then create a token and verify the click on the server-side before considering
the click as being acceptable.
Cheers,
tedd
_____________________
t...@sperling.com
http://sperling.com
There are still problems with this, GET data (which essentially only
what a clicked link would produce if you leave Javascript out the
equation - you can't rely on Javascript) shouldn't be used to trigger a
change on the server (in your case a counter increment)
I did something similar for a competition site a few years ago, and
stupidly didn't think about this at the time. Someone ended up gaming
the system by including an image with the clicked-through URL in the src
attribute, and put that on their MySpace profile page, which had more
than a few visitors. Each of those visitors browser attempted to grab
that "image" which registered a click, and because of the number of
unique visitors, the clicks were registered as genuine.
I'd recommend using POST data for this reason, as it's a lot more
difficult for people to game.
I agree, POST data is indeed the way to go here. Personally, I would use
a "like" image-like thing which is actually a button, using some clever
javascript (personally I would use jquery for this) you can then POST
data to the server based on the click. Then set a cookie which disables
the button (and keeps it disabled on future visits). This should prevent
average person from repeatedly clicking it. You could also log the
person's IP adress and filter based on that aswell; combining various
methods would be best in this case I think.
To prevent the method which Ashley mentioned, using POST data isn't
enough. You would want to guarantee that the link came from YOUR server
instead of some different place. There are multiple ways to do this:
- use a unique key as an argument in the POST which can only be
"clicked" once. Register the key in a database before serving the page,
and then unregister it once it has been served and clicked. Though if a
person were to repeatedly open the page, your cache would be exhausted,
and the method would become useless.
- require a referrer address to come from your domain; also reasonably
easily circumvented in this case
- there are more, but it really depends on how much effort you want to
put into preventing attacks and how much effort you expect others to put
into attacking it. For example, large sites like youtube are sure to use
extensive measures to prevent people from spam-clicking in any way.
While sites that only cater to say 3 visitors a month don't require all
that effort in the first place.
Hope that helps,
- Tul
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
