I have a client/server application.
It's an android app backed by php/MySQL server.
I need the user to be able to invite people to download the app
by sharing the download link, something like http://domain.com/invite.php?userid=12345
and track the number of people that have clicked on the link (on the server).
I could increment that number every time the link is clicked
but, obviously, the problem is that the user could click on its own link
and increase his/her score.
What is the best way to avoid cheating the invites system?
The most painless way would be to use cookies to track a re-visit, and possibly validate the User-Agent. It's fairly easy to fake headers though, so it's not the most secure approach.
Alternatively, have a validation page - e.g. the link you share goes to a page requesting either an email address or phone number, then you email or SMS the real link to the new user. This way, you can filter out duplicates fairly easily, at the cost of privacy issues.
There are lots of SMS gateway providers out there, and message costs are fairly low, although you need a paid app for this approach to make sense.
Hope this helps,
Phil Lello