help with rating system and allowing a IP

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
vincenzobar
Forum Commoner
Posts: 95
Joined: Wed Nov 02, 2005 9:57 am

help with rating system and allowing a IP

Post by vincenzobar »

Hi,

I have a great Rating system that does not require cookies and stores time and IP in a MySQL database to keep users from rigging the votes. Now my problem is I need to add My IP to vote as many times as i want. Just my IP. I know it is unethical but a job is a job and that's what they want. Atleast i am not killing anyone!!!

were and how do i add the code to allow my IP not to be subject to the constraints i set for everyone else?

here is the beast of the code

Code: Select all

include_once("config.php");
 @mysql_connect($rate_host,$rate_username,$rate_password);
 $rhdb=@mysql_select_db($rate_database) or die("Cannot connect to database"); 
 $ratecounter=0;
 if ($_POST['action'] == "doit") {
   // $hotscript_pop=0;
    if ($_POST['rate']>0  && !empty($_POST['rateit_id'])) {
       //if we add $rateit_id to cookiename we have an unique id
       //and more ratings on 1 page can be done

       if (!$_COOKIE[$rate_cookiename.$_POST['rateit_id']]) {
          $time_cookie = 0;
       } else {
          $time_cookie = $_COOKIE[$rate_cookiename.$_POST['rateit_id']];
       }    

       if ($time_cookie == 0) {
          //maybe cookies blocked so we will check the ip, clean table first
          $result = mysql_query("DELETE FROM ".$rate_table."_ip WHERE datum<NOW() ");
          $result = mysql_query("SELECT UNIX_TIMESTAMP(max(datum)) from ".$rate_table."_ip WHERE article='$_POST[rateit_id]' AND ip='$_SERVER[REMOTE_ADDR]' ");
          if (mysql_num_rows($result) >= 1) {
             $dat=mysql_fetch_array($result);
			 $time_cookie=$dat[0];
             // now time from ip known, no cheating!
          }    
       }  
       if (mysql_num_rows(mysql_query("SELECT * from ".$rate_table." WHERE id='$_POST[rateit_id]' "))== 0 ) {
          // ---------------- automate admin page insertion -----------------------
		 $query="INSERT INTO ".$rate_table." (article,rate,count,class,datum)  VALUES ('$_POST[rateit_id]',0,0,'$class',NOW() ) ";
		 mysql_query($query) or die("Error, cannot add new ratings item" .mysql_error());
       }   
       
       if (time() >= $time_cookie) {
          $ip  = $_SERVER["REMOTE_ADDR"]; 
          $query = "SELECT count(*) AS num FROM ".$rate_table."_ip WHERE datum>NOW() AND ip='$ip' AND article='$_POST[rateit_id]' ";
          $rs = mysql_query($query) or die("LINE 40: article not found? ".mysql_error());
          $as = mysql_fetch_array($rs);
          if ($as[num]==0 ) {
            // update rate
             $query = "SELECT * FROM ".$rate_table." WHERE article='".$_POST[rateit_id]."'";
             $rs = mysql_query($query);
             $as = mysql_fetch_array($rs);
             $as[rate]  = $as[rate]+$_POST[rate];
             $as[count] ++;
             $query="UPDATE ".$rate_table." SET rate='$as[rate]',datum=NOW(),count='$as[count]' WHERE article='$_POST[rateit_id]'";
             $ss=mysql_query($query) or die("LINE 50:".mysql_error());
             $valid=time()+$days*86400; 
            // update ip table   
             $query="INSERT INTO ".$rate_table."_ip VALUES('$ip',date_add(NOW(),INTERVAL ".$days." DAY),'$_POST[rateit_id]')";
             mysql_query($query) or die("LINE 55: Cannot update ip table.".mysql_error());
             //$x=setcookie($rate_cookiename.$_POST['rateit_id'],$valid,$valid,'/',$rate_sitecookie);
		  //}
             /*if ($_POST[hotscript_id]!='' && $_POST[hotscript_id]!='0') {
                $hotscript_pop=1;
             }   */
          } else { $ratedone=$_POST[postedcounter];}
       } else{ $ratedone = $_POST[postedcounter];}
    }
 } 
function ShowForm($id,$num,$me="Select Rate",$it="Rate!",$class="") 
{

global $ratedone,$rate,$ratecounter;
$ratecounter++;
// the function also has to be numbered!
if ($ratedone != $ratecounter) {
   echo '
   <script type="text/javascript">
   function submitit'.$ratecounter.'() {
     if (document.rateform'.$ratecounter.'.rate.value=="x"){
        alert ("You did not select a rating for this deal");
     } else {
       document.rateform'.$ratecounter.'.submit(); 
     }
   }
   </script>';     

  	
   echo '<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="rateform'.$ratecounter.'" style="display:inline">';
   echo '<select name="rate" class="Sel">';
   echo '<option value="x" selected>'.$me.'</option>';
   for ($c=$num; $c >= 1 ; $c--) {
      echo '<option value="'.$c.'">'.$rate[$c].'</option>';
   }
   echo '</select> ';
   echo '<input type="hidden" name="rateit_id" value="'.$id.'">'; // id to link
 
   echo '<input type="hidden" name="postedcounter" value="'.$ratecounter.'"> ';
   echo '<input type="hidden" name="action" value="doit"> ';
   echo '&nbsp;<input type="button" value="'.$it.'" style="font-size:9px" onclick="javascript:submitit'.$ratecounter.'()">';
   echo '</form>';
} else  echo '<b>Your vote has already been counted.</b> ';

}
I have tried || statements in Ifs I have tried minipulating MSQL statement to excluce the IP and all fail... Am i missing something. do i need to rethink my approch to this?

Some one help i have been struggling on this for 2 days!

thanks
vin
vincenzobar
Forum Commoner
Posts: 95
Joined: Wed Nov 02, 2005 9:57 am

Post by vincenzobar »

nevermind i just added a delete statement to remove any record of my ip from the ip table and act like it started new!!!

see here

Code: Select all

if ($_POST['action'] == "doit") {
   // $hotscript_pop=0;

// taking out out IP If more than one IP we will create an array to handle it and put it in config file!
   $query="DELETE FROM ".$rate_table."_ip WHERE ip='12.28.190.6' ";
   mysql_query($query) or die("Error, Did not Delete IP: " .mysql_error());//clear all reacords from this IP to lift ban
    if ($_POST['rate']>0  && !empty($_POST['rateit_id'])) {
       //if we add $rateit_id to cookiename we have an unique id
       //and more ratings on 1 page can be done

//rest of the old code here ---->
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

problem, what if your ip changes (as it almost definatly will within a months time)? what I would do is set a cookie on your computer (since you are already going off your IP address) and have it exipre in like a gagillian years. then just check if that particular cookie !empty and if it is not empty, run the delete query on your IP (which you should get dynamically each time).

but...im still going to call you a cheater :lol:
vincenzobar
Forum Commoner
Posts: 95
Joined: Wed Nov 02, 2005 9:57 am

Post by vincenzobar »

The IP here will never change, it is static.

For some reason the cookie thing is not working so i just check by IP for now. I know Dialup will be able to cheat this by just logging out and back in since they get A new IP everytime. But even still the time is set for 10 days then a revote can happen if wanted.

I keep getting a header error when i enable the cookie.

Not only is this code a little complex i have it as a module in Movable Type. It works as is but there are still a few features to finalize up like writing a cookie without errors.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

just make a single other script to set the cookie then run it then delete the script. that way the cookie will be set and available on all other scripts but nobody else can get that cookie set since you deleted the script. see what I mean? and how do you know the IP will never change? A IP that never changes is almost impossible. I am constantly connected through my ISP and its all done through my huge apartment building but yet my IP changes without me knowing, you definatly can not be sure about that.
User avatar
IceMetalPunk
Forum Commoner
Posts: 71
Joined: Thu Jul 07, 2005 11:45 am

Post by IceMetalPunk »

The cookie thing is not such a good idea.

It is very easy for someone to create a false cookie, especially with IE/AOL, as they both use flat text files to store cookie information.

For someone who knows what they are doing (and only a little computer experience), this is easy to hack.

If you are completely sure that your IP will remain static always, then I'd use the IP.

Or, another approach is to require a password (or 2) that is (are) hashed on the server somewhere. This way, only people who know the password(s) can remove the IPs from the DB.

-IMP ;) :)
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Whats the problem. Simply add an if-else before you write IP's into the database. If it is yours simply don't write it.
You could easily combine this with a list of IP's from the database or file.


Cheater ;)
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

IceMetalPunk wrote:The cookie thing is not such a good idea.

It is very easy for someone to create a false cookie, especially with IE/AOL, as they both use flat text files to store cookie information.

For someone who knows what they are doing (and only a little computer experience), this is easy to hack.
if you delete the script that sets the cookie, then who is even going to know that you and only you have a cookie there? and even then, if somehow they find out about the cookie, just set the cookie to some hash and what are the odds of someone guessing that hash when they write their own cookie?

i wouldnt rely on a ip address thats for certain.
Post Reply