Jump to content

Preventing Simultaneous Input


StormTheGates

Recommended Posts

Hey all. I run a PHP Game and have been wracking my brain as to how to fix the newest exploit on it.

What the people are doing is opening 2 windows, going to the bank page and simultaneously pressing the Input button(or close to it)

What happens is that the input goes so fast their money essentially doubles and clones. They wind up with 2x in the bank while only loosing what they put in.

Any ideas as to how I could stop this?
Link to comment
Share on other sites

I assume you have something to track users online? How about an iframe which auto refreshes every 60 seconds and merely updates the last online time... then when they try to log in, make sure their last online is over 120 seconds ago. That way they can't log in again.

There are other ways such as sticking session_destroy(); at the top of the page - but that wouldnt work if they use a seperate browser. Can't hurt to put that in aswell though!

Erm, other ideas... make a unique login number each time someone logs in: save it in their session data and also insert it into their user file when they log in. Each time they log in a new number is generated and inserted into the session and the database. When a page is opened - check to see if they match. If they don't then session_destroy(); and header("Location:index.php");
Link to comment
Share on other sites

Idea! On page load, generate the timestamp and put it in an array in the session. Then on the processing page, check how many values are in there. This will tell you if they have more than one page open. If they do, don't process it. At the end of the processing, emtpy that array.
so
on the bank page:
$times = $_SESSION['times'];
$times[] = time();
$_SESSION['times'] = $times;

on processing:
if(count($_SESSION['times'] > 1)){
  // Too Many Pages!
}else{
//okay!
}
Link to comment
Share on other sites

don't call them retards, thats a bit harsh. i still think javascript is the best bet, unless some other superpowerful php freaks here can think of something...
just put a note on the bank page, above the link to the popup bank that javascript needs to be installed and enabled to use the bank. simple. if they cant enable it, no bank for them. not your fault. there fault. lol.
Link to comment
Share on other sites

I'd do the following:

1) First, change your login mechanism so that a user may be logged in once and only once.  This will prevent them from using one window of IE and another of FF, which will then allow you to use $_SESSION to solve the problem.

2) You undoubtedly have a function that handles the form input.  Modify the function like so:
[code]
// At the top of the function
if(isset($_SESSION['lock_bank'])){
  return;
}
$_SESSION['lock_bank'] = true;

// Do the regular processing

// At the bottom of the function
unset($_SESSION['lock_bank']);
[/code]

I guess there is still a risk of two requests being handled at once, although I think it's a much, much smaller risk.  The only other suggestion I could make is to switch the table to type InnoDB and use transactions.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.