-1

I am android developer and never touch PHP. I am using below function for register my android user. I have marked that some user's creating multiple accounts. I want prevent it. I have added one field in table device called blocked. I want check that if device blocked=1, then I do not want register account of user. My PHP developer is not online and so I am unable to write the correct code. My current function is like below. Let me know if someone can help me for do it.

$trial_sql = "SELECT device_id FROM device WHERE device_id = '$serial'";
        $trial_result = mysqli_query($conn, $trial_sql);
        if (mysqli_num_rows($trial_result) == 0) {
         $device_sql = "INSERT INTO device(device_id) VALUES('$serial')";
         if($conn->query($device_sql)){
             $trial = 1;
            }   
    }
    $sql = "INSERT INTO user(name, email, password, device_id, trial, fcm) VALUES('$name', '$email', '$password', '$serial', $trial, '$fcm')";
    if($conn->query($sql)) {
        $response["code"] = 1;
    }
    return json_encode($response);

Thanks

Khushi Patel
  • 93
  • 1
  • 8
  • 1
    If you want to ensure that each device can be used only once, then just put a unique constraint on the device field of your user table. – Alex Howansky Apr 13 '18 at 17:55
  • Well, you'd have to query the datastore to check if the device is blocked, I don't see you doing that here. – Daan Apr 13 '18 at 17:55
  • 1
    Also, your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Apr 13 '18 at 17:55

1 Answers1

0

Add a new field to store the IMEI number for the devices (afaik each device's IMEI number will be unique) then you can check a device's IMEI against the list of IMEI numbers that you have blocked

SpacePhoenix
  • 607
  • 1
  • 5
  • 15
  • Hi! I am already storing device id in table device, Now I just want check that we have blocked that device id or not, So I have added field in table device called blocked and default value is 0. if we make it 1 means it blocked. Now I want just check that in table device that if device is blocked or not. Thanks – Khushi Patel Apr 13 '18 at 18:25