Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I'm writing a small script that will allow users (registered) to design and put online their surverys. Non registered ones will be able to vote though.
Given such a simple work, all is going well, but I'm afraid actually about some bad guy who can do this kind of thing:
If they are registered, as you have said, then you can assign a value to a database against their username that says "you've already voted, no more voting allowed!"
Jenk wrote:If they are registered, as you have said, then you can assign a value to a database against their username that says "you've already voted, no more voting allowed!"
From my post:
"Non registered ones will be able to vote though."
as Ambush Commander said captchas would work as this would be to much effort for someone to keep typing the code every time to vote excessivly and ip checking would stop dupicate voting.
IP's are completely unreliable as an identification mechanism. Captchas are inconvenient, but they will not stop someone that has a few extra seconds to kill. The only way to prevent duplicate votes is to register the user in some fashion and tie that user's registration identification to the vote id so that they cannot collide.
Bear in mind that if you do not prevent duplicate registrations, then you are in the same place you started off in with this, except it is certainly more time consuming to reregister and revalidate as a user in order to vote again than it would be for someone that has no hoops to jump through at all.