Page 1 of 1

help with rating system and allowing a IP

Posted: Mon Dec 12, 2005 11:07 am
by vincenzobar
Hi,

I have a great Rating system that does not require cookies and stores time and IP in a MySQL database to keep users from rigging the votes. Now my problem is I need to add My IP to vote as many times as i want. Just my IP. I know it is unethical but a job is a job and that's what they want. Atleast i am not killing anyone!!!

were and how do i add the code to allow my IP not to be subject to the constraints i set for everyone else?

here is the beast of the code

Code: Select all

include_once("config.php");
 @mysql_connect($rate_host,$rate_username,$rate_password);
 $rhdb=@mysql_select_db($rate_database) or die("Cannot connect to database"); 
 $ratecounter=0;
 if ($_POST['action'] == "doit") {
   // $hotscript_pop=0;
    if ($_POST['rate']>0  && !empty($_POST['rateit_id'])) {
       //if we add $rateit_id to cookiename we have an unique id
       //and more ratings on 1 page can be done

       if (!$_COOKIE[$rate_cookiename.$_POST['rateit_id']]) {
          $time_cookie = 0;
       } else {
          $time_cookie = $_COOKIE[$rate_cookiename.$_POST['rateit_id']];
       }    

       if ($time_cookie == 0) {
          //maybe cookies blocked so we will check the ip, clean table first
          $result = mysql_query("DELETE FROM ".$rate_table."_ip WHERE datum<NOW() ");
          $result = mysql_query("SELECT UNIX_TIMESTAMP(max(datum)) from ".$rate_table."_ip WHERE article='$_POST[rateit_id]' AND ip='$_SERVER[REMOTE_ADDR]' ");
          if (mysql_num_rows($result) >= 1) {
             $dat=mysql_fetch_array($result);
			 $time_cookie=$dat[0];
             // now time from ip known, no cheating!
          }    
       }  
       if (mysql_num_rows(mysql_query("SELECT * from ".$rate_table." WHERE id='$_POST[rateit_id]' "))== 0 ) {
          // ---------------- automate admin page insertion -----------------------
		 $query="INSERT INTO ".$rate_table." (article,rate,count,class,datum)  VALUES ('$_POST[rateit_id]',0,0,'$class',NOW() ) ";
		 mysql_query($query) or die("Error, cannot add new ratings item" .mysql_error());
       }   
       
       if (time() >= $time_cookie) {
          $ip  = $_SERVER["REMOTE_ADDR"]; 
          $query = "SELECT count(*) AS num FROM ".$rate_table."_ip WHERE datum>NOW() AND ip='$ip' AND article='$_POST[rateit_id]' ";
          $rs = mysql_query($query) or die("LINE 40: article not found? ".mysql_error());
          $as = mysql_fetch_array($rs);
          if ($as[num]==0 ) {
            // update rate
             $query = "SELECT * FROM ".$rate_table." WHERE article='".$_POST[rateit_id]."'";
             $rs = mysql_query($query);
             $as = mysql_fetch_array($rs);
             $as[rate]  = $as[rate]+$_POST[rate];
             $as[count] ++;
             $query="UPDATE ".$rate_table." SET rate='$as[rate]',datum=NOW(),count='$as[count]' WHERE article='$_POST[rateit_id]'";
             $ss=mysql_query($query) or die("LINE 50:".mysql_error());
             $valid=time()+$days*86400; 
            // update ip table   
             $query="INSERT INTO ".$rate_table."_ip VALUES('$ip',date_add(NOW(),INTERVAL ".$days." DAY),'$_POST[rateit_id]')";
             mysql_query($query) or die("LINE 55: Cannot update ip table.".mysql_error());
             //$x=setcookie($rate_cookiename.$_POST['rateit_id'],$valid,$valid,'/',$rate_sitecookie);
		  //}
             /*if ($_POST[hotscript_id]!='' && $_POST[hotscript_id]!='0') {
                $hotscript_pop=1;
             }   */
          } else { $ratedone=$_POST[postedcounter];}
       } else{ $ratedone = $_POST[postedcounter];}
    }
 } 
function ShowForm($id,$num,$me="Select Rate",$it="Rate!",$class="") 
{

global $ratedone,$rate,$ratecounter;
$ratecounter++;
// the function also has to be numbered!
if ($ratedone != $ratecounter) {
   echo '
   <script type="text/javascript">
   function submitit'.$ratecounter.'() {
     if (document.rateform'.$ratecounter.'.rate.value=="x"){
        alert ("You did not select a rating for this deal");
     } else {
       document.rateform'.$ratecounter.'.submit(); 
     }
   }
   </script>';     

  	
   echo '<form action="'.$_SERVER['PHP_SELF'].'" method="post" name="rateform'.$ratecounter.'" style="display:inline">';
   echo '<select name="rate" class="Sel">';
   echo '<option value="x" selected>'.$me.'</option>';
   for ($c=$num; $c >= 1 ; $c--) {
      echo '<option value="'.$c.'">'.$rate[$c].'</option>';
   }
   echo '</select> ';
   echo '<input type="hidden" name="rateit_id" value="'.$id.'">'; // id to link
 
   echo '<input type="hidden" name="postedcounter" value="'.$ratecounter.'"> ';
   echo '<input type="hidden" name="action" value="doit"> ';
   echo '&nbsp;<input type="button" value="'.$it.'" style="font-size:9px" onclick="javascript:submitit'.$ratecounter.'()">';
   echo '</form>';
} else  echo '<b>Your vote has already been counted.</b> ';

}
I have tried || statements in Ifs I have tried minipulating MSQL statement to excluce the IP and all fail... Am i missing something. do i need to rethink my approch to this?

Some one help i have been struggling on this for 2 days!

thanks
vin

Posted: Mon Dec 12, 2005 1:22 pm
by vincenzobar
nevermind i just added a delete statement to remove any record of my ip from the ip table and act like it started new!!!

see here

Code: Select all

if ($_POST['action'] == "doit") {
   // $hotscript_pop=0;

// taking out out IP If more than one IP we will create an array to handle it and put it in config file!
   $query="DELETE FROM ".$rate_table."_ip WHERE ip='12.28.190.6' ";
   mysql_query($query) or die("Error, Did not Delete IP: " .mysql_error());//clear all reacords from this IP to lift ban
    if ($_POST['rate']>0  && !empty($_POST['rateit_id'])) {
       //if we add $rateit_id to cookiename we have an unique id
       //and more ratings on 1 page can be done

//rest of the old code here ---->

Posted: Mon Dec 12, 2005 1:53 pm
by shiznatix
problem, what if your ip changes (as it almost definatly will within a months time)? what I would do is set a cookie on your computer (since you are already going off your IP address) and have it exipre in like a gagillian years. then just check if that particular cookie !empty and if it is not empty, run the delete query on your IP (which you should get dynamically each time).

but...im still going to call you a cheater :lol:

Posted: Mon Dec 12, 2005 4:10 pm
by vincenzobar
The IP here will never change, it is static.

For some reason the cookie thing is not working so i just check by IP for now. I know Dialup will be able to cheat this by just logging out and back in since they get A new IP everytime. But even still the time is set for 10 days then a revote can happen if wanted.

I keep getting a header error when i enable the cookie.

Not only is this code a little complex i have it as a module in Movable Type. It works as is but there are still a few features to finalize up like writing a cookie without errors.

Posted: Mon Dec 12, 2005 5:06 pm
by shiznatix
just make a single other script to set the cookie then run it then delete the script. that way the cookie will be set and available on all other scripts but nobody else can get that cookie set since you deleted the script. see what I mean? and how do you know the IP will never change? A IP that never changes is almost impossible. I am constantly connected through my ISP and its all done through my huge apartment building but yet my IP changes without me knowing, you definatly can not be sure about that.

Posted: Tue Dec 13, 2005 12:16 pm
by IceMetalPunk
The cookie thing is not such a good idea.

It is very easy for someone to create a false cookie, especially with IE/AOL, as they both use flat text files to store cookie information.

For someone who knows what they are doing (and only a little computer experience), this is easy to hack.

If you are completely sure that your IP will remain static always, then I'd use the IP.

Or, another approach is to require a password (or 2) that is (are) hashed on the server somewhere. This way, only people who know the password(s) can remove the IPs from the DB.

-IMP ;) :)

Posted: Wed Dec 14, 2005 12:12 am
by AGISB
Whats the problem. Simply add an if-else before you write IP's into the database. If it is yours simply don't write it.
You could easily combine this with a list of IP's from the database or file.


Cheater ;)

Posted: Wed Dec 14, 2005 1:40 am
by shiznatix
IceMetalPunk wrote:The cookie thing is not such a good idea.

It is very easy for someone to create a false cookie, especially with IE/AOL, as they both use flat text files to store cookie information.

For someone who knows what they are doing (and only a little computer experience), this is easy to hack.
if you delete the script that sets the cookie, then who is even going to know that you and only you have a cookie there? and even then, if somehow they find out about the cookie, just set the cookie to some hash and what are the odds of someone guessing that hash when they write their own cookie?

i wouldnt rely on a ip address thats for certain.