bschultz Posted November 14, 2008 Share Posted November 14, 2008 I wrote a viewer poll in php (not sure if this should go in the php section of here...) that on occasion is being hit by spammers. Here's the code: mysql_connect($DBhost,$DBuser,$DBpass) or die("Unable to connect to database"); @mysql_select_db("$DBName") or die("Unable to select database $DBName"); $ip=$_SERVER['REMOTE_ADDR']; $sqlquery = "INSERT INTO $db VALUES('$ip', '$_POST[q1]')"; $results = mysql_query($sqlquery); if (empty($_POST[q1])) { Print "You must make a selection. Please us your back button and select an answer"; } else { if ($results){ echo '<meta http-equiv=Refresh content=1;url="page.php?page=poll_results">'; } else{ echo '<meta http-equiv=Refresh content=1;url="page.php?page=poll_oops">'; } } mysql_close (); In essence, the code writes the users ip and the vote into the db. It's supposed to keep the user from not selecting an answer (this part: if (empty($_POST[q1])) { Print "You must make a selection. Please us your back button and select an answer"; } ) but it doesn't keep the spammers from hitting the page (I'm assuming looking for a bad email form to use for spam...). How can I re-write this to ensure that a vote needs to be made? Thanks. Brian Quote Link to comment Share on other sites More sharing options...
fenway Posted November 17, 2008 Share Posted November 17, 2008 Well, what's being inserted into the DB in this case? Quote Link to comment Share on other sites More sharing options...
bschultz Posted November 17, 2008 Author Share Posted November 17, 2008 there are four radio buttons (all named q1). Answer 1 will insert a "1" in the db. Answer 2 will insert a "2" in the db. Three inserts 3 and four inserts 4. So the numbers 1-4 are inserted into the db Quote Link to comment Share on other sites More sharing options...
xtopolis Posted November 18, 2008 Share Posted November 18, 2008 If that code is your page structure.. it's inserting the vote before doing any validation. Unless I'm missing part of your question, try structuring it like this. <?php $ip=$_SERVER['REMOTE_ADDR'];//remote ip if (empty($_POST[q1])) { Print "You must make a selection. Please use your back button and select an answer"; } else { //Answer wasn't empty mysql_connect($DBhost,$DBuser,$DBpass) or die("Unable to connect to database"); @mysql_select_db("$DBName") or die("Unable to select database $DBName"); $sqlquery = "INSERT INTO $db VALUES('$ip', '$_POST[q1]')"; $results = mysql_query($sqlquery); //query went through if ($results){ echo '<meta http-equiv=Refresh content=1;url="page.php?page=poll_results">'; } //query failed [or] answer was empty else{ echo '<meta http-equiv=Refresh content=1;url="page.php?page=poll_oops">'; } } mysql_close (); ?> Also, you really should validate $_POST[q1] to ensure it contains only the values 1-4 or whatever you're looking for. Quote Link to comment Share on other sites More sharing options...
bschultz Posted November 25, 2008 Author Share Posted November 25, 2008 That worked...thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.