Voting cheaters who press BACK in the browser. Can I defeat?
Posted: Wed Jan 28, 2004 3:57 pm
Hi 
I have FINALLY got my voting system working! It can unfortunately be cheated with the user pressing BACK and doubling their vote. Here is how it works for now:
1) Show voting page
2) user places vote
3) this is done with formdata that loads another page, does the database and php stuff, then re-directs back to the page the user voted from, showing their updated votes.
Now that all works PERFECTLY!
I love it! The problem is, when the user presses BACK it goes to the page that does the database and php stuff and re-votes as the formdata reloads also.
I will post the code for this page (the one that doest he voting after taking the formdata from the actual vote choice page) and I wonder if anyone can theorise a way to stop that hapening? It'd be really appreciated. SUCH a challenge!
Rob
I have FINALLY got my voting system working! It can unfortunately be cheated with the user pressing BACK and doubling their vote. Here is how it works for now:
1) Show voting page
2) user places vote
3) this is done with formdata that loads another page, does the database and php stuff, then re-directs back to the page the user voted from, showing their updated votes.
Now that all works PERFECTLY!
I will post the code for this page (the one that doest he voting after taking the formdata from the actual vote choice page) and I wonder if anyone can theorise a way to stop that hapening? It'd be really appreciated. SUCH a challenge!
Rob
Code: Select all
<?
require("config.php");
$connection = mysql_connect($dbhost, $dbusername, $dbpassword);
require_once ("forum/ipbsdk.php"); // Include SDK Functions and Files
//============================================
// Get User POST data and assign to variables
//============================================
$Submit = trim(stripslashes($_POST['submit']));
$MemberId = trim(stripslashes($_POST['MemberId']));
$uid = trim(stripslashes($_POST['uid']));
$entryid = trim(stripslashes($_POST['entryid']));
$year = trim(stripslashes($_POST['year']));
$month = trim(stripslashes($_POST['month']));
$choice = trim(stripslashes($_POST['Choose']));
//=======================================================================
// Covert the $choice variable to something intelligible for the database
//=======================================================================
if ($choice == "1 - Poor")
{
$chosen = "1";
}
if ($choice == "2 - Better")
{
$chosen = "2";
}
if ($choice == "3 - Good")
{
$chosen = "3";
}
if ($choice == "4 - Very Good")
{
$chosen = "4";
}
if ($choice == "5 - Excellent")
{
$chosen = "5";
}
//========================================================================================
// Let's Actually do the thing. Let's see if they're logged in, if they've voted etc etc
//========================================================================================
//Is the user logged in?
if (is_loggedin()) {
//Get the logged in users information
$userinfoid = get_info();
//now find out that users ID
$member_id = $userinfoid['id'];
//Set x to 0 meaning we presume that memberid has not voted yet
$x = "0";
//========================
// Check if user has voted
//========================
$votecontent = mysql_db_query($dbname, "SELECT * FROM votes ORDER BY id ASC");
$Xvotecontent = mysql_fetch_array($votecontent);
$Max = mysql_num_rows($votecontent);
for ($loop=1; $loop<=$Max; $loop++)
{
$VotesEid = $Xvotecontent["eid"];
$VotesUid = $Xvotecontent["uid"];
$Votesrating = $Xvotecontent["rating"];
$VotesMonth = $Xvotecontent["month"];
$VotesYear = $Xvotecontent["year"];
if ($VotesUid == $member_id) //If logged in user HAS voted
{
if ($year == $VotesYear) //If user voted in the same year
{
if ($month == $VotesMonth) //If user voted in the same month in the same year
{
if ($uid == VotesEid) //If user voted in the same month in the same year on the same Entry
$x = "1"; //User has voted for this entry
$printer = "It seems you have already voted for this entry. You can not vote for an entry more than once..."; //do nothing, they have voted
}
}
}
$Xvotecontent = mysql_fetch_array($votecontent);
}//end of for loop
//===========================
//End check if user has voted
//===========================
//============================================================
//Now we know what $x is we know if the user has voted or not
//============================================================
if ($x == "0")
{
//==================================
// Did User Choose a number or not?
//==================================
if ($choice != "Choose Rating")
{
//Do Database Entry stuff here
$printer = "You chose to give entry number <b>$entryid</b> a score of <b>$chosen</b>...";
$Add = mysql_db_query ($dbname, "INSERT INTO votes (id,uid,eid,rating,month,year)
VALUES ('', $MemberId, $uid, $chosen, $month, '$year')") or die(Mysql_Error());
}
else
{
//They have not chosen
$printer = "Sorry, you did not choose a number from 1 - 5...<br/>REMEMBER, you don't have to vote for EVERY entry, just the ones you want to.";
}
}
//or if the user HAS already rated (ie: x == 1) then tell them they've rated and can't do it again
else if ($x == "1")
{
//do nothing
}
//They mustn't be logged in so no, don't stress it... they can't do anything anyway
}
else
{
$printer = "You are not logged in! If you wish to rate this animation please login or register.";
}
?>
<table width="600" align="center" bordercolor="#333333">
<tr>
<td>
<?
//==============================
// Print the results HERE
//==============================
echo "$printer<br /><br />";
echo "Redirecting you to the voting page in a couple of seconds...<br />";
echo "If you don't get redirected, <a href = "../current_round.php">please click here</a>.<br/>";
//echo "<br><br>Submit - <br> member id - $MemberId<b>$id</b><br>VotesUid = $VotesUid<br>VotesMonth - <b>$VotesMonth</b><br> UID - <b>$uid</b><br>VotesYear - <b>$VotesYear</b><br>year - <b>$year</b><br>month - <b>$month</b><br>Choice - <b>$choice</b>";
//=======================================================================================
// Redirect back to the voting page so cheaters can't refresh Sloppy andif they hit BACK they get a double vote (or some other type of wierd vote)
//=======================================================================================
$IE=eregi("MSIE",$HTTP_USER_AGENT);
if ($IE==true) {
header("Location: ../current_round.php");
exit;
}
$NN6=eregi("Gecko",$HTTP_USER_AGENT);
if ($NN6==true) {
header("Location: ../current_round.php");
exit;
}
$NN=eregi("mozilla",$HTTP_USER_AGENT);
if ($NN==true) {
header("Location: ../current_round.php");
exit;
}
else {
header("Location: ../current_round.php");
exit;
}
?>