3

I am working with Qualtrics, which is just a web-based survey engine. The request is that, once users finish the survey, they will receive a small prize in the form of a gift code. Since I can't host the prize code data on the Qualtrics platform, my idea was to store the prize codes on a remote server. When the user finishes the survey they will be directed to my server (https), to a PHP script that will give out the prizes. On the surface this is possible, because as one piece of customization they allow to re-direct to a URL upon completion of the survey.

The problems that I am faced with, regarding my PHP script that gives out the prizes are as follows:

  • 1) Make sure visitors have COME FROM the survey and have actually finished the survey.

    2) Only give out 1 prize per participant per survey.

It is difficult to address #1 because it seems like after the survey is complete, you just get a basic re-direct to my site. It would be possible to add GET data to the URL, its very easily readable and doesn't offer security. Even encrypting the GET data doesn't seem feasible because a hacker could just copy the data string once they see it.

The idea I had to address #2 was to check the user's IP address using PHP, and store the address in my DB after a 1-way encryption. This way the IP would be unknown, but I could check for duplicates, only allowing 1 prize per IP.

So the question is, is it even possible to do what I am trying to do with just a simple URL re-direct? Is my idea for addressing #2 acceptable?

Thanks.

T. Gibbons
  • 4,919
  • 2
  • 15
  • 32
jeffery_the_wind
  • 17,048
  • 34
  • 98
  • 160
  • a long enought GET param is secure if it changes for each completed survey (see password reset emails they also use get params to verify the request). 2# is not that easy as its easy to get multible ips, adresses, phone numbers,..., but ofc he/she needs to fill out the survey twice to get another valid GET param – Roland Starke Mar 18 '16 at 10:35
  • Yeah one of the main problems is I don't think i can make a GET param dynamic for each survey... it would just be some fixed variable in the URL – jeffery_the_wind Mar 18 '16 at 14:00

2 Answers2

2

There are probably many ways this could be handled. Two that come to mind:

1) At the end of survey, Qualtrics creates an embedded data field called ResponseID which is in the Qualtrics data. You can include the ResponseID in the redirect then have your php script call the Qualtrics REST API, and try to retrieve the response with that ResponseID to make sure it exists.

2) Just before the end of survey, you could do a web service call to a script that creates a unique id, store the id on the server side, and return it to the survey as an embedded data field. Then pass the unique id in your redirect and make sure it matches a unique id you stored.

EDIT based on comment below: You can add custom parameters to your redirect by piping in parameter values like this:

http://mywebsite.com/myscript.php?rid=${e://Field/ResponseID}
T. Gibbons
  • 4,919
  • 2
  • 15
  • 32
  • The main issue I see with both of these methods is being able to include these dynamic parameters in the redirect. As far as I can tell the redirect is just a fixed address. – jeffery_the_wind Mar 18 '16 at 14:03
  • I am reading up on the REST API now, looks like it will have the tools I need. Just like I said still not sure about redirecting with custom parameters, although maybe some parameters are added to the redirect by default. – jeffery_the_wind Mar 18 '16 at 14:13
  • 1
    About adding custom parameters - see edited answer above. – T. Gibbons Mar 18 '16 at 14:19
  • You have a link to the documentation that shows this technique, i didn't come across that yet? – jeffery_the_wind Mar 18 '16 at 14:36
  • I don't know if I've seen it documented. I tried it and it worked...I've done it hundreds of times since then. – T. Gibbons Mar 18 '16 at 14:53
  • I already tested it and it works like a charm, I just don't know how you would figure that out on your own. Helps me out tremendously. Thanks. – jeffery_the_wind Mar 18 '16 at 15:05
  • 1
    Well, you can pipe data just about everywhere in Qualtrics. I only know of one specific instance where you can't...and that's an open bug. – T. Gibbons Mar 18 '16 at 15:50
  • Well this is my first exposure to it, you've helped so much. Turns out API may not be available for this project so I think I will have to go with #2 above, also a great suggestion. – jeffery_the_wind Mar 18 '16 at 18:43
  • Sorry, just one more comment about #2. Would it be possible to someone to emulate the web service call, thereby receiving the unique id returned by the service call? They could then send that ID to the prize script? Is there a way for my server to prove the web service call is coming from Qualtrics and not some other source? – jeffery_the_wind Mar 18 '16 at 19:11
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/106761/discussion-between-t-gibbons-and-jeffery-the-wind). – T. Gibbons Mar 18 '16 at 19:43
0

If you are able generate special request parameter for redirect url and make it for every user unique, then you could invent some algorithm, and encrypt user ID with it and pass this ID as parameter in redirect url.

Vitaly Kulikov
  • 713
  • 3
  • 13