scarface222 wrote:1.I currently am just updating one entry for each topic, if I have 1000 entries for each topic wouldn't that bog down my database unecessarily?
I don't understand the concept you are trying to tell me. SQL is extremely fast and is often not the bottleneck in most applications. Querying 1000 rows in a SQL database shouldn't be much load, especially if you are precise in your query and index the rows you intend to search by.
scarface222 wrote:2. I find the users were able to spam when using cookies by refreshing or clicking really fast, wouldn't the same be true if someone just clicks the button and instead I set a session variable? I do not care if the user votes multiple times with multiple log ins, I just want to make it difficult.
Have you tried this or just speculating that sessions wont solve your problem? It certainly wont solve the problem if the user delete's their cookies because their session id will be lost, but also your record that they've voted in your original approach. Atleast with sessions, you dont give the user an option to modify data that you are taking an action upon.
scarface222 wrote:3. You said I am not validating my input, the voting is just one button that updates a topic's number, I get escaping it, but what is needed to be validated in your opinion.
You are pulling an id from a POST value. What happens if I send your server a post of 'a' or better "7 OR 1=1"? If you expect $id to be an unsigned integer, make sure that it is an unsigned integer before using it.
scarface222 wrote:4. What are cookies usually used for lol?
Storing anonymous
navigation data to track a users state. I rarely use cookies for anything other than storing a session id. When I do store data in a cookie, it is only data that gets compared to something for validation. I never store user information or other information that can manipulate my site.
scarface222 wrote:5. Youtube, protects against mass refreshes holding f5, since views cannot be spammed. Do you or anyone else know how they do this. There is no way they keep one database entry per view do they? It seemed like their server did not even respond and thus did not use any bandwidth when I was spamming refresh.
For viewing pages, I would not bother. For pages that take an action, such as "cast a vote" you can implement nonces. Nonces are a random key that is generated and placed into a form on every page load. The key is also stored in a users session. When the user submits the form, if the nonce does not match whats in their session, the form request (ex: vote cast) is rejected.
http://en.wikipedia.org/wiki/Replay_attack