Jump to content

How to stop bypasssing validation by adding spaces in address and . in email address


Recommended Posts

I have a form with PHP validation and also a mysqli query checking for duplicates in the database for mailing address and email address in mysql.  

 

It works fine but the customers are adding spaces in the mailing address for example  111 mailing address A V  E, 1 1 1 ma iling address A V  E etc.  and my sql query doesn't see that as an address that's a duplicate. 

 

Their alslo adding email address like my@emailaddress.com and m.y@emailaddress.com, m.y.2@emailaddress.com etc to bypass that comparision also. 

 

Is there anyway to stop this from happening?  

 

 

 

I'm thinking of grabing their IP and store it in the DB.  Then check for IP duplicates.   Then they can change their mailing address and email all they want.  The only way around that is to fill out the form at a different IP.   Does anyone think that's a bad idea?

Edited by jabn

The only way to stop people from registering multiple times is to personally verify their identity (through the ID, the driver's licence or whatever).

 

Checking the IP or e-mail address is pointless, because anybody can have as many IP addresses and e-mail accounts as they want. There's no way you could change that. The best you can do is make sure that the e-mail address actually exists: Send a confirmation e-mail with a random number to the provided address. If the user doesn't confirm the registration within a certain time frame, you may cancel the registration.

Yes that's good but the other issue is the mailing address.  They could create multiple email addresses and verify that it exists.  The mailing address is another issue.  They can for example use 111 mailing address ave as  111 ma iling address a v e, 1 1 1 mailing address ave etc. and not be considered a duplicate. 

No, they can't just add spaces, because then the confirmation mail will never reach them. The only reason why they can add random spaces right now is because you don't even check if the e-mail address exists.

Please reread my comment.  I'm talking "Mailing" address.   Anyone can have multiple email addresses.  so doing what you're saying still wont stop somebody from adding spaces to the "Mailing address.  Email address yes but not "Mailing" Address.  I see what you're saying about the email confirmation but they can create another email adress  and add spaces to their mailing address.  When they do this the problem still exists.

Edited by jabn

There's nothing you can do about the physical address except providing a drop-down menu instead of a text field. This requires a complete address database, of course.

 

If you try to remove spaces, people will use abbreviations, similar-looking characters, random middle names and other variations which still result in a valid address. Why do you even care?

Checking for unique email addresses is not of much value either. With a single gmail account you can use an number of aliases. For example, if your email address is username [@gmail.com] you can also use username+1, username+2, usernaem+abc, etc. etc. I think it allows up to 5 or 6 characters after the username. And they will all be "working" email addresses that go to the same mailbox.

 

And, as Jacques1 stated, verifying mail addresses is very problematic as well. I once added Apt. #'s to my house address to register for a service multiple times. The "best" option is to use professional services that do merge/purge/dedupe operations for mailing addresses. Although, anything that is good will cost money.

 

Here's one resource: http://www.qas.com/address-verification.htm

  • Like 1

It's kind of pointless as pointed out by Jacques1, as users will just add other types of characters, but you could create a function that adds and removes spaces and then compares the results to the database. This would be quite db intensive though as there would be a lot of variations to compare.

 

You could force users to only use a comma, space, and an alphanumeric character (I.. a-z, 0-9) when entering the address which would minimise some of the variations they can use.

 

Another option I've just thought of, would be to count the spaces in each line of the address and any line exceeds a certain number (6 ?) then the user is told that the address is invalid (and why). This would also limit the no of variations a user could create.

 

I don't think you are ever going to get a perfect solution - just by the nature of the issue - but even minimising the no of extra free products you have to send out will save you (or your client) some money in the end.

 

Ok, nothing else springs to mind currently, but if I think of anything else I'll post it here.

 

Good luck.

Edited by wezhind

I remember a while back a company offering free products (samples) and what they did is took your credit card number (I am assuming they used a billing service) and charge a nominal fee like $5.00 or something like that. An when the product shipped the person was credited the money or so they said for I never tried it. The point being people will tend not to make multiple accounts if they might get socked with forking over money. The problem with this is two things, one you alienate some people and two some people won't bother signing-up. I fall in the the first category, I'm suspicious anytime a company asks for a CC#. 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.