I posted a question yesterday about someone using a bot to exploit my betting site and press "Roll" multiple times very quickly, to get the same roll numbers.

Stop bot sending multiple requests quickly. PHP + AJAX

The answer someone gave me was to use locking. So I did, but he came back and it didn't work. See below:

Can someone look at my code and tell me what I'm doing wrong or if it's just not enough.

The page sends the request using ajax, you can find the code on the previous question as I don't believe it's relevant.

It sends it to a php file, an extract of which is below:

include '../../inc/functions.php'; //This is where the lock functions are stored.

$lock = acquire_lock("foo");

if (empty($_GET['_unique']) || mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"))==0) exit();

$newSeed=generateServerSeed();
mysql_query("UPDATE `players` SET `server_seed`='$newSeed' WHERE `id`=$playerinv[id] LIMIT 1");

$settings=mysql_fetch_array(mysql_query("SELECT * FROM `system` LIMIT 1"));

$player=mysql_fetch_array(mysql_query("SELECT * FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"));
$player['server_seed_']=$player['server_seed'];
$player['server_seed']=(double)substr($player['server_seed'],27);
// More content...
release_lock($lock);
?>

$newseed is the variable which has the roll number. As you can see a new one is usually generated each run-time.

Inside functions.php is the following:

<?php
function acquire_lock($name) {
return fopen($name, "rw");
}
function release_lock($lock) {
fclose($lock);
}
?>

Thank you for taking the time to read and let me know what you think/solutions.

function acquire_lock($name) { 
    $file = fopen($name, "rw"); 
    flock($file, LOCK_EX);
    return $file;
} 
function release_lock($file) { 
    flock($file, LOCK_UN);
    fclose($file); 
}

The real lock is not open or close file, bur the flock function.