Referral System PHP

I have a membership based website and im planning on implementing a referral system. My website is credit based, the idea is that if User X refers User Y, then User X gets 100 bonus credits.

Has anybody built a referral system before and if so what obstacles should I bear in mind? I've had a snoop round SO tonight but couldn't find any suitable answ开发者_如何学编程ers.

My theory is to give each user a random string which is generated and stored in the DB when they sign up, The user will then be presented with a URL incl. that string which when they pass to somebody (User Z), User Z is then sent to a page, the page then uses the GET method to gather the Random string and update the DB Row they currently occupy, does this sound feasible or could it easily be breached?

Thanks

Typically this is called an affiliate program. You pretty much got it right in your description, but I would also store the referral from the $_GET var into a session or a cookie so the user can be credited even if they navigate away from the referral page. By this I mean - typically an affiliate program credits user X only if user Y registers or buys something. So user Y can hit the referral page, then look around, then find their way back to a registration page, or purchase page. By that point the referral $_GET var is lost and so is the credit. So your referral page would store the session or cookie for the referral code, and your registration page or checkout callback would check for these vars and act accordingly. I believe scott's method is good if there is concern like he mentions, but alternatively you might want the referral to stay static all the time, for cases like business referrals that people might put on business cards. They do that a lot in MLM where the reps are given profiles on a central company website so they don't need to make their own.

I don't know what you mean by update the DB row they currently occupy. Are you suggesting something like a count field that holds a number representing the total referrals? If so, I would say that's not a good idea. You should record each successful referral as its own entry in a relational table with the referrer's id as the common key. That way you can store all kinds of post data in the referral so you know if you're being messed with. Like, say, a user making 1,000 yahoo accounts and signing up with their own referral code just to get bonus credits. Your relational table might see the repeating IP address, or referral email being incremental (johndoe1000@yahoo.com, johndoe1001@yahoo.com, etc) and then you know to take action.

The safety of your suggestion ultimately comes down to how you handle the data. If you blindly insert anything into the DB then everything is harmful. Just make sure to properly escape things and keep an eye on behavior, even manually. You should be fine.

If the value remains static, it most definitely can be breached. I'd recommend you do not give a user one hash (we'll say MD5 to make this simple) and have that remain their sole string of characters. You may create a temp table that holds records of all the sent requests, both user's id's, and a random hash of the current time (using something like the date() function) along with the user's PRIMARY KEY value appended to the end for each individual request. So a referral gets sent at midnight, you can generate a unique hash in mysql using the following command

SELECT MD5( CONCAT( NOW(),user.id ) ) AS hash FROM user WHERE user.id = #

If you use the same hash every time, as soon as someone discovers that hash, unless properly defended against could potentially be exploited a lot easier than having a different hash for each individual referral.

Instead of a random string you could just use the username of user X?
Also, with random strings you could get in a situation where two users have the same random string. Or maybe you were planing on using both?

I'm not sure i can see the need to secure the referral, what are you afraid of being abused? A user making multiple accounts to get free points? They could do that just as well with the random string, if you want to prevent this, you should set a cookie and/or check IP addresses.

What dangers are we talking about if someone breach the system? Just free free points or are people actually paying for these points normally? And if so do a user pay to register?

If a user is paying to become a member, i see no reason to restrict referrals? Just don't award user X anything before user Y actually paid. Set a cookie/session when user Y is referred, and if user Y registers while the session is holding user X's username, award user X.

That's all i can say with the information you posted atm.