Poll/Servey Script need to add IP check so people can't resubmit vote

[cobusbo]

Hi, I'm currently using a voting script, but have a problem with people voting more then once, and want to add a way to keep the voting unique and 1 per person via IP check can anybody assist me how to implement it in the following script please?

<?php

// the questions and the answers
$pool_question="Do you think I should keep Galaxy Universe open?";
$pool_option[1]="Yes";
$pool_option[2]="No";

// If counter files are not available,they will be created
// You may remove next lines after the first use of the script
        if (!file_exists("pool_5483543_1.txt")){
                // next two lines will not work if writing permissions are not available
                // you may create the files bellow manualy with "0" as their unique content
                file_put_contents ("pool_5483543_1.txt",0);
                file_put_contents ("pool_5483543_2.txt",0);
        }

// retrieve data saved in files
        $pool_responses[1]=file_get_contents("pool_5483543_1.txt");
        $pool_responses[2]=file_get_contents("pool_5483543_2.txt");


// if user votes, increase corresponding value
        if ($_POST["5483543"] and $_POST["5483543b"]==""){
                if ($_POST["5483543"]==1) {$pool_responses[1]++;file_put_contents("pool_5483543_1.txt",$pool_responses[1]);}
                if ($_POST["5483543"]==2) {$pool_responses[2]++;file_put_contents("pool_5483543_2.txt",$pool_responses[2]);}
        }

// get percentajes for each answer in the pool
        // get total number of answers
        $total_responses=$pool_responses[1]+$pool_responses[2];
        if ($total_responses==0){$total_responses=1;}  // to avoid errors at start
        // compute percentajes (with one decimal number)
        $pool_percentaje[1] = round((100*$pool_responses[1])/$total_responses,1);
        $pool_percentaje[2] = round((100*$pool_responses[2])/$total_responses,1);
                                                                
// print the form, which includes de answers and the percentajes
print "<center>\n";
print "<form method=post action=".$_SERVER["PHP_SELF"].">\n";
print "<b>".$pool_question."</b>\n";
print "<table cellpadding=4>\n<br>";
// answer 1
print "<tr>\n";
print "<td><input type=radio name=5483543 value=1>  ".$pool_option[1]."</td>\n";
print "<td bgcolor=DDDDFF>" .$pool_responses[1]." (".$pool_percentaje[1]."%)</td>\n";
print "</tr>\n";
// answer 2
print "<tr>\n";
print "<td><input type=radio name=5483543 value=2>  ".$pool_option[2]."</td>\n";
print "<td bgcolor=DDDDFF>" .$pool_responses[2]." (".$pool_percentaje[2]."%)</td>\n";
print "</tr>\n";
print "</table>\n";
// a simple control to avoid one user to vote several times
if ($_POST["5483543"]){
        print "<input type=hidden name=5483543b value=1>\n";
}
print "<input TYPE=submit value=Add my answer>\n";
print "</form>\n";
print "</center>\n";

?>

The reason why I ask for IP check is I wan't to use 

$_SERVER["HTTP_X_MXIT_USERID_R"];

in the place of the Ip since it give a unique name via the platform I want to implement it.

Edited January 14, 2015 by cobusbo

[Psycho]

Do you realize that many people can (and will) be using the same IP when behind a NAT? Any home (and many businesses) use a router with, NAT, that connects through the ISP and has one external IP address. Then, internally, all the connected devices have local IP addresses. All requests go through the router using the external IP address. When the responses come back, the router determines which internal IP to direct the response to.

 

So, a web application will only see the external IP address of all the machines behind that router. There is really no perfect way to prevent people from voting multiple times. You could use a cookie as a first-line of defense (of course it can be deleted by the user). Then, if you really want to make it difficult, require that users are registered and authenticate before they can vote. Then only allowed users to vote once. Of course, they could create multiple accounts, but you would verify the email address and it would be a major PITA for users to vote multiple times at that point.

[MiWi]

As said, there really isn't a perfect answer. In general though, IP alone is not an ideal solution. Entire companies, schools, libraries, etc.. may share the same external address. 

 

In most cases i've just used cookies for small scripts. Unless the user had to be logged in to vote and from there you can use other methods. 

[cobusbo]

Do you realize that many people can (and will) be using the same IP when behind a NAT? Any home (and many businesses) use a router with, NAT, that connects through the ISP and has one external IP address. Then, internally, all the connected devices have local IP addresses. All requests go through the router using the external IP address. When the responses come back, the router determines which internal IP to direct the response to.

 

So, a web application will only see the external IP address of all the machines behind that router. There is really no perfect way to prevent people from voting multiple times. You could use a cookie as a first-line of defense (of course it can be deleted by the user). Then, if you really want to make it difficult, require that users are registered and authenticate before they can vote. Then only allowed users to vote once. Of course, they could create multiple accounts, but you would verify the email address and it would be a major PITA for users to vote multiple times at that point.

 

 

As said, there really isn't a perfect answer. In general though, IP alone is not an ideal solution. Entire companies, schools, libraries, etc.. may share the same external address. 

 

In most cases i've just used cookies for small scripts. Unless the user had to be logged in to vote and from there you can use other methods. 

 

Like I said in the place of 

$_SERVER['REMOTE_ADDR']

I want to use

$_SERVER["HTTP_X_MXIT_USERID_R"];

as the so called "IP" in this scenario. I run my website via a mobi. portal on an instant mesaging platform called Mxit. And the above code will recall their unique login id into the Instant messanger. Thats why I need to change my code to make sure that a user with the same ID wont be able to vote again.

[Psycho]

So your real request is to write the code for you? Have you made an attempt? Start with the following then come back with any questions.

 

1. When loading any page that will display links/controls to make a vote: Do a check to see if the user has already responded. If so, disable/hide those controls and/or provide a message that let's them know they have already voted. If not, then enable/display the controls. This is really only for usability - not specifically to prevent multiple votes.

 

2. When a user submits a vote. You will also want to perform a check if they have already voted because anything you do on the actual page can be easily overwritten. If the user has a previous vote, then don't save the new one (or overwrite the current one if you want to allow users to change their vote).

 

If you are going to have multiple polls then you will want two tables. One to define the polls and another to log the votes by each user.

[Barand]

Make the $_SERVER["HTTP_X_MXIT_USERID_R"] value part of a unique key in your table then it becomes impossible to write a duplicate.

 

EG> UNIQUE KEY (poll_id, user_id)

[cobusbo]

Make the $_SERVER["HTTP_X_MXIT_USERID_R"] value part of a unique key in your table then it becomes impossible to write a duplicate.

 

EG> UNIQUE KEY (poll_id, user_id)

The reason why I'm asking is the script posted in my first message works with plain text documents and doesnt require a database. I'm not familiar how to do that without using a database. I want to keep it in .txt files

[CroNiX]

Maybe have another file like voter_ids.txt.

 

1) When someone submits the form, check that voter_ids.txt file to see if their $_SERVER["HTTP_X_MXIT_USERID_R"] id exists in there. If it does, they've already voted and show them a message.

 

2) If not, continue saving the data to your text files, and also include $_SERVER["HTTP_X_MXIT_USERID_R"] in voter_ids.txt so you know they've voted.

 

Then if they try to submit the form again, it will get caught by #1 above since their $_SERVER["HTTP_X_MXIT_USERID_R"] ID will exist in the voter_ids.txt file.

[SF23103]

Most survey applications that require limiting responses to one per person use a token.

 

You will generate a token, or unique set of characters for every user. When the invitation is sent, it will include the token in the URL. When the user completes the survey or vote, the application will mark that token in the database as used. If the user tries to access the survey again, it will not allow it because their token has been used.