Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Jul 2009
    Location
    Chicago, IL
    Posts
    169
    Thanks
    26
    Thanked 3 Times in 3 Posts

    A way to deter people from repeatedly registering

    When trying to figure out a way to prevent this (which is mainly a problem automated scripts trying to register on your site), I came up with a solution that (I think) is okay. Before, when you registered on my site, you were put into a MySQL DB, but your "active" value was set to 0. In an email, there was an activation link that, when clicked, it changed your "active" value to 1 and allowed you to log in. Obviously, such a system does not prevent someone from running a script and creating a bunch of inactive users in my DB.

    Do you folks think it's safe/sound to NOT put the person into the DB until after they click the link? I was thinking of creating a link that said www.mysite.com/activate.php?username=$_POST[username]&password=md5($_POST[password])

    I would then have a "Verify your password" box that hashes the user's input and compares it to the $_GET[password]. If it matches, then create the account.

    I'm not sure if this is the way most people already do it... but I wanted to run this by you folks and see if there are any big flaws with this design.

    Thanks!
    Last edited by wldrumstcs; 08-14-2009 at 06:59 PM.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,509
    Thanks
    8
    Thanked 1,090 Times in 1,081 Posts
    I think it depends on the first form.

    If you start out with a more complex form that requires name, email, password,
    re-enter password, etc. then you need to create the MySQL data at that time.

    If you ask for only a username and email, you can email them a random "temporary"
    password to confirm them. The confirmation email sends them back to the real
    registration page and THEN the MySQL data is created. The "temporary" password
    is special though ... there will be a certain pattern of characters that you look for.
    Every temporary password you generate is different, except for that pattern.
    All you care about is the email address and the pattern in the "temporary" password.
    That means you don't have to create any records, or do any other checking.

    Example of some temporary passwords with a pattern (you look for the t,4,w in those specific positions) ...
    8Tr4e9wX
    5te4qmw2
    ZT74oSW9

    You would have the PHP script generate the random password and insert the pattern before emailing it to them.
    It's so simple that even a spammer wouldn't be expecting that.

    I like the latter method better because you won't have any new records created,
    and bots won't be confirming emails. If someone does confirm the email and
    then cancels filling-out the registration, you also don't create any new records.

    Here's the thing that is troublesome ... many spammers/ad-click scammers hire REAL people to spend their
    whole work-shift going to forums and blogs and registering, using a block of Yahoo or Hotmail emails.
    There's no way to stop this activity and it's happening more and more. They get paid by the number of
    registrations they do across the internet.

    One way to help stop this is to not allow anyone to post content with a URL ... unless they've posted at
    least 5 other posts beforehand. This is annoying for REAL users, but it does cut down on spamming.


    .
    Last edited by mlseim; 08-15-2009 at 04:27 AM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •