Page 1 of 2

how do you prevent spamming votes and page views

Posted: Sat Mar 13, 2010 4:38 pm
by scarface222
Sorry Abra, turns out sleep is not working lol. I have a vote script and if you click to vote, and press f5 before it finishes, it lets you vote again and the vote goes through and I am not really sure why. Also, I have a simple page view script that updates a page views mysql field on a refresh, and that can also be spammed if f5 is held. Is there any way to

1. prevent the vote spam
2. prevent page view spam and also people who try to use denial of service by using mass bandwidth

here is sample of my vote script

Code: Select all

 
$id = $_POST['id'];
$action = $_POST['action'];
 
$query="SELECT * FROM votes WHERE topic_id='$id'";
$check=mysql_query($query);
while($row=mysql_fetch_assoc($check)){
$curvotes = $row['vote'];
}
setcookie ("$id", "0", time()+(60*60*24*365));
//ok, now update the votes
sleep(1.5);
if (!isset($_COOKIE["$id"])){
if($action=='vote_up') //voting up
{
 $votes = $curvotes+1;
 $q = "UPDATE votes SET vote = $votes WHERE topic_id = $id";
}
elseif($action=='vote_down') //voting down
{
 $votes = $curvotes-1;
 $q = "UPDATE votes SET vote = $votes WHERE topic_id = $id";
}
 
$r = mysql_query($q);
if($r) //voting done
 {
 echo "$votes";
 }
elseif(!$r) //voting failed
 {
 echo "Failed!";
 }
}
else {
    echo "You Already Voted";
}

Re: how do you prevent spamming votes and page views

Posted: Sun Mar 14, 2010 1:01 am
by flying_circus
  • You are not validating your input.
  • Your script is vulnerable to SQL Injection
  • The sleep timer doesnt do anything other than tie up CPU processes for 1.5 seconds. Not Good.
  • You cannot set a cookie and then reference it on the same page request. That's not the nature of cookies.
  • Cookies are not the correct vehicle for what you are trying to accomplish.
  • Sessions would probably work better for this or as AbraCadaver originally said "The best is to have them authenticate and store the fact that they have voted in the db."
scarface222 wrote:Is there any way to
1. prevent the vote spam
2. prevent page view spam and also people who try to use denial of service by using mass bandwidth
  1. See above.
  2. No. There is no reliable way due to the anonymous nature of the internet, unless you are authenticating all of your users and filtering user traffic.

Re: how do you prevent spamming votes and page views

Posted: Sun Mar 14, 2010 10:58 am
by scarface222
Yeah that was dumb, I didn't think about escaping it because the input was only a button.

1.I currently am just updating one entry for each topic, if I have 1000 entries for each topic wouldn't that bog down my database unecessarily?

2. I find the users were able to spam when using cookies by refreshing or clicking really fast, wouldn't the same be true if someone just clicks the button and instead I set a session variable? I do not care if the user votes multiple times with multiple log ins, I just want to make it difficult.

3. You said I am not validating my input, the voting is just one button that updates a topic's number, I get escaping it, but what is needed to be validated in your opinion.

4. What are cookies usually used for lol?

5. Youtube, protects against mass refreshes holding f5, since views cannot be spammed. Do you or anyone else know how they do this. There is no way they keep one database entry per view do they? It seemed like their server did not even respond and thus did not use any bandwidth when I was spamming refresh.

Re: how do you prevent spamming votes and page views

Posted: Sun Mar 14, 2010 1:25 pm
by flying_circus
scarface222 wrote:1.I currently am just updating one entry for each topic, if I have 1000 entries for each topic wouldn't that bog down my database unecessarily?
I don't understand the concept you are trying to tell me. SQL is extremely fast and is often not the bottleneck in most applications. Querying 1000 rows in a SQL database shouldn't be much load, especially if you are precise in your query and index the rows you intend to search by.
scarface222 wrote:2. I find the users were able to spam when using cookies by refreshing or clicking really fast, wouldn't the same be true if someone just clicks the button and instead I set a session variable? I do not care if the user votes multiple times with multiple log ins, I just want to make it difficult.
Have you tried this or just speculating that sessions wont solve your problem? It certainly wont solve the problem if the user delete's their cookies because their session id will be lost, but also your record that they've voted in your original approach. Atleast with sessions, you dont give the user an option to modify data that you are taking an action upon.
scarface222 wrote:3. You said I am not validating my input, the voting is just one button that updates a topic's number, I get escaping it, but what is needed to be validated in your opinion.
You are pulling an id from a POST value. What happens if I send your server a post of 'a' or better "7 OR 1=1"? If you expect $id to be an unsigned integer, make sure that it is an unsigned integer before using it.

scarface222 wrote:4. What are cookies usually used for lol?
Storing anonymous navigation data to track a users state. I rarely use cookies for anything other than storing a session id. When I do store data in a cookie, it is only data that gets compared to something for validation. I never store user information or other information that can manipulate my site.

scarface222 wrote:5. Youtube, protects against mass refreshes holding f5, since views cannot be spammed. Do you or anyone else know how they do this. There is no way they keep one database entry per view do they? It seemed like their server did not even respond and thus did not use any bandwidth when I was spamming refresh.
For viewing pages, I would not bother. For pages that take an action, such as "cast a vote" you can implement nonces. Nonces are a random key that is generated and placed into a form on every page load. The key is also stored in a users session. When the user submits the form, if the nonce does not match whats in their session, the form request (ex: vote cast) is rejected.

http://en.wikipedia.org/wiki/Replay_attack

Re: how do you prevent spamming votes and page views

Posted: Sun Mar 14, 2010 1:55 pm
by scarface222
Thanks a lot for baring with me here. I am still fairly new at development, and learning as I go. Your comments have been highly informative and very useful to me. I appreciate it very much that you took the time to explain my concerns. I will implement your suggestions and see how it goes. I just have one question though. If you have the user's id next to their vote in the database, why bother storing information in a session variable, when you can just query the database and see they voted or did you mean simply to replace the cookie approach with storing info in a $_SESSION variable by itself or take the mysql approach by itself?

Re: how do you prevent spamming votes and page views

Posted: Sun Mar 14, 2010 2:08 pm
by flying_circus
scarface222 wrote:or did you mean simply to replace the cookie approach with storing info in a $_SESSION variable by itself or take the mysql approach by itself?
Yes :mrgreen:

If you are authenticating users that are allowed to vote, then just query the DB to see if they have voted. Do this when you display the poll, so that if they have voted, they wont see an option to vote, just show them the results or "You've already voted" message.

If you allow anonymous votes, neither cookies nor sessions will do what you want. Though, I still hold the position to use sessions rather than cookies, if you go that route.

Re: how do you prevent spamming votes and page views

Posted: Sun Mar 14, 2010 2:33 pm
by scarface222
I am not allowing anonymous votes so I will take the database approach lol, thanks again for baring with me there man haha, I sometimes miss the obvious solution. You have been a big help anyway though by pointing out my other errors of coding, I will update all my button forms to provide validation and implement your other suggestions.

Re: how do you prevent spamming votes and page views

Posted: Sun Mar 14, 2010 9:25 pm
by scarface222
ok lol one more question. The database approach will not work because I want the user to be able to vote up or down like reddit, and it is too confusing to subtract votes. What would you suggest to do with sessions to prevent a user from voting twice for a variety of topics. For example the topic_id=$id, so should I just set a session variable at the end of the vote.php document? I tried this and it does not work...

//preventive measure
if (!isset($_SESSION["$id"])){
}
//set session variable
$_SESSION["$id"]=$id;

Re: how do you prevent spamming votes and page views

Posted: Mon Mar 15, 2010 1:47 pm
by scarface222
circus? I see you online man, can you just let me know quick lol.

Re: how do you prevent spamming votes and page views

Posted: Mon Mar 15, 2010 2:08 pm
by flying_circus
You can't use "it is too confusing" as an excuse to compromise your design goal.

Since you are authenticating your voters, I would create a table in the database called votes:

votes:
- vote_id
- poll_id
- user_id
- vote

When the user vote's on one of your poll's, store the user's id, along with how he voted and the poll id. Then, for displaying the poll, you can select a count of all the records that have voted up, and a count of all the records that were voted down. You can also easily determine if a user has voted on a poll. You can also allow the user to change their vote, if you want.

Scrap the sessions idea.

Re: how do you prevent spamming votes and page views

Posted: Mon Mar 15, 2010 2:35 pm
by scarface222
ok that is actually a great idea lol, nice structure suggestion. I will implement it and let you know how it goes. I am just curious, this is kind of a non related/silly question, but how long have you been developing for. I know it takes about 5-10 years to become a complete expert at something, and I have been practicing for about 10 months now, so I am just curious how long it took you to have a pretty broad understanding. I find I can read code and know what is going on perfectly but I often miss obvious solutions and have trouble writing it. I have been trying to finish this project and then after I am going to develop my skills by reading a lot lol, I have lots of up to date books. Then maybe I can actually contribute on this forum lol and know what I am talking about.

Re: how do you prevent spamming votes and page views

Posted: Mon Mar 15, 2010 4:18 pm
by Sephern
Sorry to go slightly off topic, but it may help you in the future in terms of development. Remember that users can clear cookies and sessions with relative ease, and therefore its an unreliable method of doing things like stopping vote spamming. On the contrary (if accounts aren't an option, obviously), storing the IP is probably the best method, then preventing an IP from voting more than once. Although there are notable downsides to it (people changing their ip), its a lot more reliable than sessions and cookies.

Re: how do you prevent spamming votes and page views

Posted: Mon Mar 15, 2010 5:51 pm
by scarface222
That is a good point, I appreciate any advice always. I fully think circus is right about his table structure in terms of votes, but I do agree with you, however in terms of page views I looked into the structure of phpbb (a free forum structure) and they used this function for views, however sessions are kind of my weak point. I posted a topic earlier about trying to keep unique page views, obviously I do not care if someone clears their cache and then refreshes because it will take forever to exaggerate page views or would be too complicated for most people, so I thought sessions for views would be better than keeping a table of ips for each topic. However, I am not really sure how unique session ids work for each page. This is a snippet of their view handler (phpbb). Now I know it is object oriented programming, so the information for $user and such is not shown, but if anyone has seen some sort of function like this before that takes into consideration search bots, and individual users for tallying views, (I think this forum uses it too since it is phpbb) please, if you can give me any pointers into the direction to go into interpreting this, please let me know. Thanks again everyone.

Code: Select all

if (isset($user->data['session_page']) && !$user->data['is_bot'] && (strpos($user->data['session_page'], '&t=' . $topic_id) === false || isset($user->data['session_created'])))
{
    $sql = 'UPDATE ' . TOPICS_TABLE . '
        SET topic_views = topic_views + 1, topic_last_view_time = ' . time() . "
        WHERE topic_id = $topic_id";
    $db->sql_query($sql);
 

Re: how do you prevent spamming votes and page views

Posted: Mon Mar 15, 2010 6:24 pm
by flying_circus
What are you trying to do? Just increment a counter, as in "This page has been viewed x amount of times"?


I understand the thought process of binding things to an IP, but to me, it just doesnt sense. More and more people are behind a NAT or Proxy these days. If you are in a cafeteria or coffee shop, chances are, your IP registers the same as everyone else that is connected through that access point wirelessly. That is the nature of NAT's. It's probably not a bad idea to bind brute-force counter measures to an IP, but for things like casting a vote, I dont view it as a viable option. You would have to decide whats better, a poll that doesnt allow everyone to vote or a poll that allows everyone to vote more than once. The former is more work, but the latter requres no work. Either way, your results are skewed.

Re: how do you prevent spamming votes and page views

Posted: Mon Mar 15, 2010 6:44 pm
by scarface222
No I completely agree, sorry I keep flopping all over the place, I think your method for voting should be adequate, since only registered users can vote, so that is pretty much solved. I am talking about attaching a session value to each page somehow so users can't just hold f5 and get 1000 views in a minute (I tested it and that can happen). I am just not fully sure how to implement it, so I looked into the structure of this forum (since they are using an open source code structure), and copied their view function in that snippet. It seems they are protecting against bot hits and user hits using sessions and I just am not quite advanced enough to figure it out in a timely manner, so I was just wondering if anyone could either explain it who has seen a similar function, suggest a method and show a small example, or just point me in the right direction.