What techniques are there for preventing multiple submissions to a competition?

Some methods you could use:

• Captcha: Stops bots submitting the form
• Email Validation: Send them an email with a unique link to activate their competition entry. Stops invalid email addresses.
• Mobile Number Validation: Send them a text message with an activation code. Stops invalid phone numbers.

In my opinion your approach should not be to prevent submission of entries but to require a level of validation on the details entered.

CONS of CAPTCHA:

1. Users hate it, and it can be frustrating when implemented poorly (failed captcha resets other form fields for instance).
2. Can be difficult for legit users to complete when the letters are hard to read.
3. Doesn't always work. Someone just scammed Ticketmaster by beating ReCAPTCHA a few months ago for instance*.
4. Ugly, more code to implement, and it passes the burden or responsibility from you to the users. PROVE YOU ARE HUMAN is not what I want to see when sending a form, very insulting.

@Nick's got the right idea, use text/email validation. IP checking can be OK sometimes, but as you said, you're getting unique IPs with the same mobile number, so it's not reliable.

There are lots of great posts here regarding CAPTCHA alternatives, definitely worth a read if you plan on employing it. You'll probably have to find a balance between making it easy for the user (encouraging submissions) and front end security techniques.

Why though, can't you simply disregard duplicate mobile numbers or phome number + IP combination? Just because they can can submit multiple times doesn't mean you have to accept it. If it is a human, let them think they are sending in multiple votes :)

*_{Ticketmaster used various means to try to thwart Wiseguy’s operation, at one point switching to a service called reCaptcha, which is also used by Facebook. It’s a third-party Captcha that feeds a Captcha challenge to a site’s visitors. When a customer tries to purchase tickets, Ticketmaster’s network sends a unique code to reCaptcha, which then transmits a Captcha challenge to the customer.}

_{But the defendants allegedly were able to thwart this, as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible Captcha challenges from reCaptcha, prosecutors maintained. They identified the file ID of each Captcha challenge and created a database of Captcha “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, authorities said.}

Captcha is perfect in spam protection while confusing people very often.

But there is a workaround - You can use JavaScript to hide the captcha for real users (using browsers with JavaScript turned ON) while it will always be "visible" for spam bots (that do not have JS). It's quite simple - just by using of JS You set the div where the captcha is held to display:none, and create a hidden input with value containing that from captcha image...

Strongest approach may be the email validation - but then it means sometimes the rwritting of application. If user submit his reply You register it as not active and send him a validation email to the email address provided. If it is valid, after clicking on the link he will validate his email answer and You can turn his reply to status active...

Also a good workaround for users to prevent the re-submitting of forms on refresh is to redirect users to that same page after the form is submitted and processed... Yes, it takes a second or two longer to view the result, but it's much safer...