Web Registration Limit

[Modify]

I have little to no knowledge on these things so please forgive me >~<

I wanted to limit the amount of registrations each player can have by their IP by 3. I believe it can be bypassed easily, but it's still better than nothing I guess.

My guess is

$query=mysql_query("SELECT * FROM accounts WHERE ip='" . mysql_real_escape_string($_POST["ip"]) . "'");

if that even is correct

Then after that place in the registration page

} else if (mysql_num_rows($query) > 3) {

do whatever.

Registration Page

<?php
	if(basename($_SERVER["PHP_SELF"]) == "register.php"){
		die("Error 404");
	}
?>
	<?php
        if (isset($_POST['register'])) {
            $username = mysql_real_escape_string($_POST['username']);
            $password = mysql_real_escape_string($_POST['password']);
            $cpassword = mysql_real_escape_string($_POST['cpassword']);
            $email = mysql_real_escape_string($_POST['email']);
            $birth = mysql_real_escape_string($_POST['birth']);
            $ip = mysql_real_escape_string($_POST['ip']) ;

            $ucheck = mysql_query("SELECT * FROM `accounts` WHERE `name`='" . $username . "'") or die(mysql_error());
            if ($username == "") {
                echo "<div class=\"error\">Please enter in a username.</div>";
            } else if (mysql_num_rows($ip)  > 3) { 
                echo "<div class=\"error">Registration limit reached. Please contact an administrator to increase the limit.</div>";
            } elseif (mysql_num_rows($ucheck) >= 1) {
                echo "<div class=\"error\">Username is already being used.</div>";
            } elseif ($password == "") {
                echo "<div class=\"error\">Please enter in a password.</div>";
            } elseif ($password != $cpassword) {
                echo "<div class=\"error\">The passwords do not match.</div>";
            } elseif ($email == "") {
                echo "<div class=\"error\">Please enter in an email.</div>";
            } elseif (strlen($username) < 4) {
                echo "<div class=\"error\">Username must be between 4 and 12 characters!</div>";
            } elseif (strlen($username) > 12) {
                echo "<div class=\"error\">Username must be between 4 and 12 characters!</div>";
            } elseif (strlen($password) < 6) {
                echo "<div class=\"error\">Password must be between 6 and 12 characters!</div>";
            } elseif (strlen($password) > 12) {
                echo "<div class=\"error\">Password must be between 6 and 12 characters!</div>";
            } elseif (strlen($birth) > 10) {
                echo "<div class=\"error\">Please enter in a username.</div>";
            } else {
                $ia = mysql_query("INSERT INTO `accounts` (`name`,`password`,`birthday`,`email`) VALUES ('" . $username . "','" . sha1($password) . "','" . $birth . "','" . $email . "')") or die(mysql_error());
                echo "<div id=\"error\">You are now registered to ".$servername."!</div>";
            }
        }
    ?>
	<br/>
	<form method="POST" action="">
		<table width="370" align="center">
            <tr>
				<td style="float: left;">Username:  </td>
				<td style="float: right;"><input type="text" name="username" class='tip-fw' title="The maximum lenght is 12 characters." maxlength="12"  autocomplete="off" placeholder="Username" required autofocus>
				</td>
			</tr>
            <tr>
				<td style="float: left;">Password:  </td>
				<td style="float: right;"><input type="password" name="password" class='tip-fw' title="Enter a password between 1~12 characters." maxlength="12" placeholder="Password" required></td>
			</tr>
            <tr>
				<td style="float: left;">Comfirm Password:  </td>
				<td style="float: right;"><input type="password" name="cpassword" class='tip-fw' title="Confirm your password." maxlength="12" placeholder="Comfirm Password" required></td>
			</tr>
            <tr>
				<td style="float: left;">Email:  </td>
				<td style="float: right;"><input type="text" class='tip-fw' title="Please enter a valid Email Address." name="email" placeholder="Email" required></td>
			</tr>
            <tr>
				<td style="float: left;">Birthday:<br><small>(YYYY-MM-DD)</small>  </td>
				<td style="float: right;"><input id="datepicker" type="text" maxlength="10" class='tip-fw' title="Ex. 1990/01/30" name="birth" placeholder="Birthday" required></td>
			</tr>
			<b>reCaptcha:</b>
    <div class="g-recaptcha" data-sitekey="6Ld0Sw0TAAAAANGmNu3CmMYQ-WrSYhL97XL3bH9a"></div>
    <br/>
        </table>
        <center><input type="submit" class="button" value="Register" name="register"></center>
        </form>

Is that how it's suppose to be done? If it's not, which part do I change? I believe that is what's needed to check the IP's then count the amount of equivalent IP's.

Thanks in advance!

 

[takashato]

$user_ip = $_SERVER['REMOTE_ADDR']; // Return client's IP: Ex. 123.123.123.123
$query=mysql_query("SELECT * FROM accounts WHERE ip='" . mysql_real_escape_string($user_ip) . "'");
if(mysql_num_rows($query) > 3){
echo "Err!";
return;
}

You may change $user_id value to a correct form of values in the field name "ip" of table name "accounts". (I forgot how they are, lol~)
Ex: "/127.0.0.1" =>

$user_ip = '/'.$_SERVER['REMOTE_ADDR'];

Besides, you should use "SELECT COUNT(*)..." instead of using "SELECT * FROM..." with "mysql_num_rows()". This will reduce your script's execution time.

P/s: Sorry for my bad English.

 

[Modify]

Thank you for replying! It worked with minor problems, but I was able to fix it

Thank you!

 

[Diamondo25]

Note that REMOTE_ADDR is not correct when you use a proxy service like CloudFlare.

 

[Modify]

Note that REMOTE_ADDR is not correct when you use a proxy service like CloudFlare.

Yeah I've noticed this. I've searched around and found out there were various ways to check for IP and get around the proxy, from what I saw, there were many ways to mask a person's IP and many of the sources seemed unreliable :/ (Probably not unreliable, but I wouldn't know how to use them properly)

From what people have said, and I quote "REMOTE_ADDR is the most accurate way to find the remote address" if I remember correctly.

 

[Diamondo25]

Yeah I've noticed this. I've searched around and found out there were various ways to check for IP and get around the proxy, from what I saw, there were many ways to mask a person's IP and many of the sources seemed unreliable :/ (Probably not unreliable, but I wouldn't know how to use them properly)

From what people have said, and I quote "REMOTE_ADDR is the most accurate way to find the remote address" if I remember correctly.

Depends on your setup.
If you are running a loadbalancer like NGINX (like cloudflare does), the incoming IP will be masked as the loadbalancer will forward the request. In most cases, X-Real-IP is sent as header. In case of CloudFlare, they send CF-Connecting-IP as

You must be registered to see links

and

You must be registered to see links

 

[ETTETT]

I recommend to change $_POST method to $_SERVER["REMOTE_ADDR"] instead. When using a $_POST value it can be manipulated from developer tools which may cause someone abuse this exploit.