A client of mine is holding a conference and we have the task of creating a booking system for them. However they have requested that we use QR codes so that on the door, a person can simply present their QR code, be scanned, and boom! they are signed in.
This isn't so much of a problem because I thought well I could use a long URL to connect to our DB and sign the person in, mark them as booked in/confirmed, and be done with it.
That's all very easy, the problem is then that what if the person scan's the QR code themselves? How do ensure that, only the people who are on the door of the conference have the power to scan the barcodes and sign people in?
I am limited really to php / jquery, if I knew XCODE I would write an App but I don't.
Thoughts I had:
-
Get the IP of the local WIFI, and only accept requests from that (however that does not stop the public from signing in)
-
Use some variable in $_SERVER[] that I could map as coming from a certain person's phone only.
Best Answer
You shouldn't put an URL in the QR code. It should only contain an ID that is represents their ticket. Then when you scan the persons QR code at the door, you check if that ID is valid and let them enter if it is.
Assuming your ID is sufficiently large, this would be near impossible to abuse.