Check if the visitor IP is in MySQL

Question

I'm trying to make a song request form for a radio station but they do not want spamming. I've done the form etc which is pretty simple but I am trying to make it so... If a visitor requests a song, that request will be stored in a database so the DJ can check it. I want it so the DJ will have to click Played to allow the same visitor request again, else it will not allow that same IP to request again.

The problem is, the checking if the IP is there isn't working.

Here the code, it maybe a easy fix...

<?php include "db.php"; ?>
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<h3> Request a song</h3>
<?
$ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$query = "SELECT * FROM requests WHERE ip='". $_SERVER['REMOTE_ADDR'] ."'";
$result = mysql_query($query);

if (mysql_num_rows($result) > 0) {
  echo "<form action='thankyou.php' method='post'>
  Your Name:<br>
  <input type='text' name='name' required><br>

  Artist:
  <input type='text' name='artist' required><br>

Song:<br>
  <input type='text' name='song' required><br>

Message:<br>
  <input type='text' name='message' required><br>
<input type='submit' value='Submit'><br>
</form>";
}
else { 
  echo "Your song hasn't been played yet.";
}
?>

 </body>
</html>

Thanks in advance.

Surely your `if` statement needs to check the opposite case? If their IP is found in the table (so there's more than 0 rows found) you want to show the message - else if there's not more than 0 rows found, you show the form? — Tom, Jan 17 '17 at 16:04
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — AbraCadaver, Jan 17 '17 at 16:05
Basically yeah, not sure how to do it, but if the visitor ip is in there then no more requests. — MBell86, Jan 17 '17 at 16:06
***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jan 17 '17 at 16:28
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jan 17 '17 at 16:28
If you just want to be able to handle spamming, etc. you shoud take a look at Google's RECAPTCHA — Dawid Zbiński, Jan 17 '17 at 16:43

score 0 · Answer 1 · edited May 23 '17 at 12:08

Currently, you've got;

// $result = Do query
if(mysql_num_rows($result) > 0) {
    // Show the form
} else {
    // Show 'Already Requested' message
}

But that will show the form only to those whose IP address is found in the table, when that seems to be the opposite of what you want.

Try this;

// $result = Do query
if(mysql_num_rows($result) == 0) {
    // Show the form
} else {
    // Show 'Already Requested' message
}

Now the form is shown only if the number of rows returned from your query is 0.

You're going to need to add a check in your SQL for your played flag also. And to pick up on a couple of comments;

Please look at how to prevent SQL injection in your code
And just because the IP may or may not match, doesn't mean they are or aren't the same person. You might need to think of a more rigorous check.

Check if the visitor IP is in MySQL

1 Answers1