MDCode Posted August 9, 2012 Share Posted August 9, 2012 I am making a survey feature for my website. Nothing is wrong with the current security (that I know of :s) I was actually wondering what I could do to improve the security. Sorry for the lack of organization I have no code editor on this computer. submit_survey.php <?php require('check/ip_check.php'); if($id == "1"){ if($ip_check != "0") { echo "<p>Error: You have already taken this survey.<br>"; echo "<a href='../index.php'>Back</a></p>"; die; } else { if($_POST['agree'] == "Yes") { } else if($_POST['agree'] == "No") { } else { echo "<p>Error: Please select an answer for question 1<br>"; echo "<a href='../survey.php?id=1'>Back</a></p>"; die; } if($_POST['placement'] == "") { echo "<p>Error: Please enter text for question 2<br>"; echo "<a href='../survey.php?id=1'>Back</a></p>"; die; } if($_POST['different_location'] == "Yes") { if($_POST['location'] == ""){ echo "<p>Error: It seems you selected yes for question 3. Please enter text for question 4.<br>"; echo "<a href='../survey.php?id=1'>Back</a></p>"; die; } } else if($_POST['different_location'] == "No") { } else { echo "<p>Error: Please select an answer for question 3<br>"; echo "<a href='../survey.php?id=1'>Back</a></p>"; die; } include('add_survey1.php'); } } else { echo "Error: Invalid survey id"; } ?> Both ip_check.php (One for selecting survey, other for if a user were to make their own form and submit) <?php session_start(); require('../config.php'); $ip = $_SERVER['REMOTE_ADDR']; include('connection.php'); $getid = mysql_real_escape_string($_GET['id']); $sql ="SELECT * FROM Survey_Responses WHERE `ip` = '$ip' AND `id` = '$getid'"; $result = @mysql_query($sql, $connection) or die(mysql_error()); $ip_check = mysql_num_rows($result); ?> add_survey1.php <?php session_start(); require('../config.php'); include('connection.php'); $ip = $_SERVER['REMOTE_ADDR']; $question1 = htmlentities($_POST['agree'], ENT_QUOTES); $question1 = mysql_real_escape_string($question1); $question2 = htmlentities($_POST['placement'], ENT_QUOTES); $question2 = mysql_real_escape_string($question2); $question3 = htmlentities($_POST['different_location'], ENT_QUOTES); $question3 = mysql_real_escape_string($question3); $question4 = htmlentities($_POST['location'], ENT_QUOTES); $question4 = mysql_real_escape_string($question4); $question5 = htmlentities($_POST['other_locations'], ENT_QUOTES); $question5 = mysql_real_escape_string($question5); $sql ="INSERT INTO Survey_Responses VALUES('1', '$question1', '$question2', '$question3', '$question4', '$question5', '$ip')"; $result = @mysql_query($sql, $connection) or die(mysql_error()); echo "Thank you for taking our survey. Your answers have been successfully recorded."; ?> Any help would be appreciated Quote Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/ Share on other sites More sharing options...
maxudaskin Posted August 10, 2012 Share Posted August 10, 2012 An IP does not necessarily mean a computer. There can be many computers to an IP. What if the user is using a public computer (many responses, few IPs). Register the survey with an email. This allows you a reply-to address, as well as a way to weed out multiple survey submits. What ever system you use, unless you require a fingerprint scan, there is always the risk of multiple submissions. Quote Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/#findComment-1368283 Share on other sites More sharing options...
Mahngiel Posted August 10, 2012 Share Posted August 10, 2012 unless you require a fingerprint scan I have 10 fingers. @OP: Cookies, sessions, emails, it's nigh impossible to keep out people who want to fake a submission. Best thing you can do is determine what method will slow down the most amount of fakers. Email address submissions (useful, because you can build a mailing list to drive return visits - you just need to weed out fake emails), user registration, captcha, ip time-outs, etc. Just bear in mind, even in the real world statistics have margins of error. Quote Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/#findComment-1368287 Share on other sites More sharing options...
ignace Posted August 10, 2012 Share Posted August 10, 2012 unless you require a fingerprint scan I have 10 fingers. Require a DNA sample Quote Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/#findComment-1368290 Share on other sites More sharing options...
scootstah Posted August 10, 2012 Share Posted August 10, 2012 Remove the @ in front of mysql_query(). Suppressing errors isn't a good thing to do, and mysql_query() doesn't output anything if a query fails. Also, remove the or die(mysql_error())'s when you go to production. In production you should be logging the errors, not displaying them to the public - especially SQL errors. All the user has to know is that something went wrong. Maybe send a "500 - Internal Server Error" header or something. Quote Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/#findComment-1368293 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.