PHP Forum

**lukie_boy** · 01-13-2009, 03:27 PM

Hi, I have hit A wall with my code,

What it is I am making a quiz game see previous post,
and the lives and score system works well but if I click back I can cheat the
game ,which of course is no good. I am using a session to parse data on.

I have had a look into using some JS but it can't work as far as i'm aware, so i'm wondering can I trace which page the session has come from so if they are on question 2 get it wrong, they click back then I could send them to a gameover screen for cheating?

Is there a function which could do this any suggestions?

**Envision_frodo** · 01-13-2009, 03:57 PM

Session variables alone may allow the more inventive users to continue cheating (i.e. clearing/modifying that cookie). How about using a combination of session vars and an intermediary redirect? Something like:

question1.php -> redirect.php -> question2.php

That way if they hit back they simply get redirected forward again. Then add http_referrer and session variable checking to stack a few hoops cheaters would need to jump through.

PHP Code:


			
// ### Check for Proper Referrer
if ($_SERVER['HTTP_REFERRER'] != '/legitorigin.php')
  {
   Header("HTTP/1.1 302 Found");
   Header("Location: http://yoursite/gameover.php");
  }

// ### Check for Proper Session Stuff
if (!isset($_SESSION['legitid']) || isset($_SESSION['gameover']))
  {
   Header("HTTP/1.1 302 Found");
   Header("Location: http://yoursite/gameover.php");
  }

Something like that anyway...

**lukie_boy** · 01-13-2009, 04:23 PM

Thanks mate I am going to have a play around with this now

I will tell you how I get on.

Luke

**paaaaaaaaaa** · 01-13-2009, 04:58 PM

If you are on '...question2.php' and you click the browsers back button the referral variable will not be question2.php. That will only work with links.

Setting a session variable to the question number you are on would do the trick. Then do a redirect to question 1 if there is no session or redirect to the question the user is on if the session is set.

If you want it so that a user can only do the quiz once then you will need the user to log in and store quiz completion data in a database.

**lukie_boy** · 01-13-2009, 05:28 PM

Brilliant thank you both very much!

Here is the solution

PHP Code:


			
<?php session_start();
$_SERVER['question'] = 1;

if ($_SERVER['question'] == 1)
  {
   Header("HTTP/1.1 302 Found");
   Header("Location: http://localhost/JB/gameovercheater.php");
  }?>

I havn't tried it yet with the other questions, but I don't see any reason why it would not.

Luke

**paaaaaaaaaa** · 01-13-2009, 06:11 PM

Your code would actually always fire the cheating page. Here is what I would use.

PHP Code:


			
<?php 

session_start();



// set what question we are on

$_SESSION['question'] = 1;





// check that we have came from the correct place

if (isset($_SESSION['nextQuestion']))

  {

    if ($_SESSION['nextQuestion'] != $_SESSION['question'])

    {

      Header("HTTP/1.1 302 Found");

      Header("Location: http://localhost/JB/cheat.php");

    }

  }

  



// what will be the next question

$_SESSION['nextQuestion'] = 2;



?>

**mgraphic** · 01-13-2009, 09:24 PM

One good method to prevent multiple uses of a form (in your case to cheat on a quiz), a method used for security and prevent such things like spoofing is to generate, pass and validate a url token in the url parameters. Everytime the quiz form loads up, the session token generates a random string and that string is also passed in the url params. On the processing page, the token is compared and deleted from the session, so only one single instance of that form is allowed to process.

**lukie_boy** · 01-13-2009, 09:47 PM

hmmmm I just tried your method paaaa

But it keeps taking me back to the cheat.php, I have used session_destroy() which is working as I'm getting

Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in C:\wamp\www\JB\cheat.php on line 1
here is my code over to of the pages.

PHP Code:


			
<?php 
session_start();
$_SESSION['question'] = 1;
if (isset($_SESSION['nextQuestion']))
  {
    if ($_SESSION['nextQuestion'] != $_SESSION['question'])
    {
      Header("HTTP/1.1 302 Found");
      Header("Location: http://localhost/JB/cheat.php");
    }
  }
$_SESSION['nextQuestion'] = 2;
?>

which parses onto.....

PHP Code:


			
session_start();
$_SESSION['question'] = 2;
if (isset($_SESSION['nextQuestion']))
  {
    if ($_SESSION['nextQuestion'] != $_SESSION['question'])
    {
      Header("HTTP/1.1 302 Found");
      Header("Location: http://localhost/JB/cheat.php");
    }
  }
$_SESSION['nextQuestion'] = 3;
?>

am I missing something simple here?

**lukie_boy** · 01-14-2009, 06:21 PM

Okay I have fixed it now!

what I used is...

PHP Code:


			
<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();

?>thanks for all your help once again!