As far as grabbing time and IP:

<?php

$today = date("F j, Y);

$ip = $_SERVER['REMOTE_ADDR'];

**Notes**

I used the date format F j, Y just as an example but visit here to see all available formats: [us4.php.net...]

The IP is automatically stored in a global variable so all you have to do is call on it like I did above.

As far as the username...it all depends on how your links they are clicking on are setup. I would recommend doing a URL encode and passing it to the same page. Ex. page.php?username=bob.

Questions?

Yes you would probably have to put that data in another table and use SQL to do some kind of date comparison and flush it after 24hrs.

user_id
time

You could probably store the email they are sending to as well to prevent more than one user from emailing the same person (don't want to flood one person with requests).

After your 24 hours is up then allow the user to send more, and perhaps regularly flush the table of old entries.

I might assign a random code to the user at this time, and send that code in the message to the friend. When it gets returned your user gets credit.

The friend would not be able to trigger extra credits to the user.

So does anyone know what I record to ensure 100% that the user is not clicking the link more than once every 24 hours?
If you have the users data stored in a table perform a time check. If within 24 hours - no go. If not in the table add a record and go. If older than 24 hours, delete the old record, write a new one and go. Now you have a self-cleaning table too.

e.g.

$q = mysql_query('SELECT user_email_time FROM user_table WHERE user_id=\'' . $user_id . '\'');
$user = mysql_fetch_array($q);

$currentTime = time();

$timeDifference = $currentTime - $user['user_email_time'];

$oneDay = 24 * 60 * 60;

if ($timeDifference >= $oneDay)
{
// Allow an email to be sent and update user row
$updateQuery = mysql_query('UPDATE user_table SET user_email_time=\'' . time() .'\' WHERE user_id=\'' . $user_id . '\'');
// [... mailing code here ...]
} else {
// Not allowed to send another email
}

You could modify that into a temporary email table as suggested before and allow the user to send multiple emails, but restrict them from sending to the same address more than once, or go with this example and allow them to only send one email per day.

Make sense?

You script uses a session variable called $_SESSION['userid']. This holds the user id of the current person logged in. In a simplistic way, all you have to do is test if that variable is set, and if it is you can assume the user is logged in. You then use that variable to get information specific to that user and display it accordingly on your page.

Conceivably you could disable the link, hide the form and/or stop the script from processing the email all from fairly simple if else statements.

You can take the same time concept and apply it to something like a client-side cookie. Cookies aren't fullproof though (people turn them off or delete them), maybe you could combine that with a temporary database table of IP and time, then you might at least control a larger percentage of visitors ability to click on that link twice.

With any method you choose though, you'll still be at the mercy of the user's technical knowledge, and inclination to abuse the application. Using the combination of cookie + IP + user agent you might be able to knock down the percentage people able to abuse the application sufficiently though.

Create a DB table with:

IP
click_time
user_agent

Then when a user clicks on the link for the first time:

check for an entry in the table for the IP (if yes, check if the user agents match, and also if the click time is less than 24 hours ago).

If they don't have an entry, check for a cookie set by your site (in which you should store an encrypted version of a timestamp). If there is a cookie, unencrypt the time and check if it is less than 24 hours.

If they don't have a cookie or a Database entry, or the time is less than 24 hours then allow the link to be used and then write a new cookie and insert/update the database entry.

As you can probably tell, it's going to get a little tedious trying to verify the user, and it's definitely not going to be fullproof... but it'll probably work for something like 98% of visitors, since most people probably aren't technically minded or malicious.

Look up the following in the php manual if you want to take the idea into practice and see what you come up with:

setCookie()
$_SERVER['HTTP_USER_AGENT']
$_SERVER['REMOTE_ADDR']

compare last click time with now

When they go to click again, grab the last clicked time from the db, use mktime again, minus then from now and compare that to the number of seconds in 24 hrs. If the remainder is greater then they get to click again.

encrypting the date, well you need to be able to undo it so don't use any one way encryption. I would say you just need a little obfuscation, mix it up so they don't know its a timestamp. You can do that however you want.

$data1 = mktime (13,45,50,5,10,2005);

$h = date("G");
$m = date("i");
$s = date("s");
$mo = date("n");
$d = date("j");
$y = date("Y");

$data2 = mktime ($h,$m,$s,$mo,$d,$y);

$diff = ($data2 - $data1) / 86400;

echo $diff;

Now, if $data2 is more then 24 hours after $data1 it returns a number greater then 1, now, if it is less how would I convert this to hours minutes and seconds?

if ($diff < 86400) echo 'it hasnt been 24 hrs yet';

you can take diff and divide it any way you want, you are left with seconds so you could turn it into minutes, hrs, whatever

I don't know of any obsfucation scripts, but I know of a handy, lightweight 2-way encryption utility rc4crypt:

[sourceforge.net...]

All you'd have to do is instantiate the class and use it's encrypt() method when you store the date in the cookie. It's an extremely simple class to use.

Remember to unencrypt the data when you get it from the cookie and test that the unencrypted data matches your expected result (someone may have attempted to edit it).