Jump to content

Recommended Posts

I figured this should go here: feel free to move it if it's in the wrong place.

 

I wanted to discuss potential security issues and features that should be in an online voting platform (to be used for student council elections and such). Apart from hashing passwords, how would one go about reducing the possibility of fraud (either via MySQL injection, or some other nefarious device)? I'm afraid I'm not very experienced with security.

 

I know some of the paid softwares give every voter a special ID for each ballot they fill out, and that the numbers aren't actually stored in a database, but I have NO clue how to do that.

 

Does anyone have any experience with this?

Link to comment
https://forums.phpfreaks.com/topic/264675-security-for-a-voting-system/
Share on other sites

Well I'm the only person registering people (i.e. I get the list of potential voters and add them all manually), so yeah, I think we can make it that everyone only votes once. I actually think it would be unethical for me to be able to see who voted what (I run the elections)- is there a way to get the total results but keep me from seeing the individual votes?

It's easy to make sure you don't know who voted for what. I mean knowing who has voted at all. If there shouldn't be a way for you to know that then it's still possible but exactly how depends on what kind of data you have available.

 

But if that's fine then all you need is a record of who has voted. Like a table of which user and which election. If they've voted on the election already then don't let them do it again.

Oh, I get what you mean. Well, yes, that part is easy and I imagine would be fairly simple to control. I guess what I'm asking is: are there any obvious or easy ways to break into a database or do a MySQL injection if all you have is a website with no textboxes? (since they only get radio buttons). As long as I make the database admin username and password complicated, is there any way for someone with some technical experience (e.g. annoying first-year computer science students) to break in?

Oh, I get what you mean. Well, yes, that part is easy and I imagine would be fairly simple to control. I guess what I'm asking is: are there any obvious or easy ways to break into a database or do a MySQL injection if all you have is a website with no textboxes?

Don't even ask the question. Always protect yourself against it, regardless of how easy you think it could be. Regardless of whether you think it's even possible.

Unless you're serving a static website then there will be user input somewhere.

 

(since they only get radio buttons)

Radio buttons qualify as user input.

 

As long as I make the database admin username and password complicated, is there any way for someone with some technical experience (e.g. annoying first-year computer science students) to break in?

Assume someone very smart will try.

 

 

Rule of thumb: users are malicious, smart, and have plenty of time and patience. You can never trust them.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.