How do I make a simple sales authentication webpage?
December 5, 2016 2:09 PM   Subscribe

I've been selling my game (Artemis Spaceship Bridge Simulator) for 6 years. For almost every purchaser, I have a unique sales code, a name, and email address (currently in a google spreadsheet). Customers contact me daily to replace their lost copy, and I'm happy to do so after verifying their previous purchase, but it's a hassle, and I really want to automate this task. I'm not much of a web dev, though, mostly a C++ game dev. What I know about HTML, Javascript, and mySQL is just enough to be really dangerous.

I posted this question to Stack Overflow, but was told they don't answer such broad questions. I've done my googling, but can't find anything on point.

But I know the job could be done with a mySQL DB and some javascript, integrated into my existing website. AND I just found Google Scripts, which could (apparently) also do the job. So I'm not asking for code; I just want your expert opinion.

What's the best, easiest way to implement a webpage that lets my user type in their name, email, or order ID, then it checks that the input matches a cell in the DB, at which time it shows the user a DL link to my game?
posted by Techbear to Computers & Internet (10 answers total) 4 users marked this as a favorite
 
What is your current website built on? Is it purely static content? If it is, do you know what webserver is serving it (apache, nginx, etc)?

If you were my client I would do this in the absolute simplest way possible, which would probably be a really silly/simple CGI script. Possibly I wouldn't even bother with a real database, just like a CSV dumped from your google doc. I am imagining that your volume is going to be really low, like a few requests a day or something?

If google docs has a simple API you could probably continue to store the details in google docs itself and treat it as your database.
posted by RustyBrooks at 2:18 PM on December 5, 2016


Ok, so the first issue to consider is a privacy/security issue. You might not care a whole lot if someone types in a random name, email, or order number and spoofs your link for a free download, but I'd vote for using less personally identifiable details if you can. Like, can I type in my kids' teacher's email address and get a download link? Did my kids' teacher think their purchase was relatively private, and now kind of embarrassed to be outed as a RaceDriver2000:Death on Wheels player? (Or, you know, whatever.)

If that's not an issue (and I think maybe it should be), then just a web form on a simple PHP page that does a MySQL lookup should do it. (Or are you asking for framework recommendations? I'm not sure what level your question is at.)
posted by instamatic at 2:22 PM on December 5, 2016 [1 favorite]


Is it possible to sell a $40 version on Steam, and give away a free version on your site?

The free version only works in the presence of at least one copy of the $40 version.

Failing that, I vote for "Enter your email address here, and if you're a valid customer we'll email you a download link that will work for 24 hours". There's more implicit verification involved that way.
posted by Leon at 2:27 PM on December 5, 2016 [6 favorites]


What I know about ... mySQL is just enough to be really dangerous

If you don't know how to prevent SQL Injection, you can be truly dangerous to your data and your server. A lot of the tutorials and examples on Stackoverflow and the like are dangerous.

What's the best, easiest way to implement a webpage that lets my user type in their name, email, or order ID, then it checks that the input matches a cell in the DB, at which time it shows the user a DL link to my game?

What's the tradeoff between convenience for you and your users vs. protecting the download that you want? You theoretically want to do things like keep track of how many times it's been re-downloaded so someone doesn't just post the information on a forum. If you are using names, you might need some fuzzy matching, so that if Random Q Purchaser forgets that he used his middle initial when buying it, he doesn't have to pester you after the automated system rejects Random Purchaser as a name. You need some kind of mechanism to do the download so that only authorized people can do so - there's a few different ways of doing that, depending on what your web server is running (e.g. PHP, Perl, etc).

If you want, I know a web developer that loves your game that might be willing to do the work for free/cheap as a thank you for the time he's enjoyed playing it.
posted by Candleman at 2:52 PM on December 5, 2016 [1 favorite]


Just came in here to say that Artemis Spaceship Bridge Simulator is a 10/10 super awesome game. Thanks for making it!
posted by CompanionCube at 2:53 PM on December 5, 2016 [5 favorites]


Pretty much itch.io is perfect for this. As opposed to steam, itch.io does not automatically take a cut (though they of course give you the option of giving them one if you so choose).

"Can I give some people access to my game without having them pay?

Sure. You can generate what itch.io calls, “download keys”. A download key is a special URL that gives someone full access to download your game without having to buy it. This is perfect for giving out copies of your game to press or backers of a crowdfunding campaign."

So you just hand free keys to all your existing customers and presto, done.
posted by juv3nal at 3:40 PM on December 5, 2016 [1 favorite]


apologies, by default (so can be read as "automatically") itch.io takes a 10% cut, but creators can turn that down to zero if they like. which is still better than steam which, as far as I know, gives no choice in this regard.
posted by juv3nal at 3:49 PM on December 5, 2016


I use Google Scripts quite a bit, but I'd recommend you don't use them - I agree that the privacy issues are serious enough that it would make me hesitant. I like the free/paid version idea a lot.

Also, I've seen your game played by a huge group of students at a high school I taught at, and it was seriously transformational. I saw kids who were totally withdrawn in all other contexts and who took a leadership role in the collaborative gameplay. As a teacher, that's what I aim to do and I can't thank you enough for making that happen for my students.
posted by guster4lovers at 4:33 PM on December 5, 2016 [3 favorites]


I'd probably set it up so the user enters an email into a web form and then be emailed a link and password to redownload/get a lost key. If you have the same output no matter whether the email is actually valid, that ameliorates the privacy issue.

You just don't send an email or send a "sorry, we couldn't find you in our records, please contact x for further assistance" message for people that don't match.

If you're never inserting anything into the database, use the language's API with tokenization to generate queries rather than doing it yourself, limit the web server's credentials to only allow read access to the DB, and ensure that the code that sends the email only reads the first row returned (or errors if more than one is returned, rather than spitting out a bunch of records into one email) you should be safe from injection attacks.

Rather than a download script, I'd probably just generate symlinks to the file and run a from job daily or weekly that cleaned up old ones after a while or not even bother (and just let anyone download the setup file) if the game requires a license key.

Pirates gonna pirate, so putting a bunch of thought into keeping people from pirating isn't usually worth it unless you're doing online activation in the game itself, since that is the only thing that actually works against dishonest people.
posted by wierdo at 7:37 PM on December 5, 2016


Thank you for your kind words about my videogame. :)

It appears the consensus is for me to hire a competent web coder to do this job for me. Good to know. Thank you!
posted by Techbear at 10:34 AM on December 6, 2016


« Older Can I Eat This: Use 1.5 year old frozen suet in a...   |   Civil Rights Fundraising Ideas for Inauguration... Newer »
This thread is closed to new comments.