MDCode Posted August 9, 2012 Share Posted August 9, 2012 I am making a survey feature for my website. Nothing is wrong with the current security (that I know of :s) I was actually wondering what I could do to improve the security. Sorry for the lack of organization I have no code editor on this computer. submit_survey.php <?php require('check/ip_check.php'); if($id == "1"){ if($ip_check != "0") { echo "<p>Error: You have already taken this survey.<br>"; echo "<a href='../index.php'>Back</a></p>"; die; } else { if($_POST['agree'] == "Yes") { } else if($_POST['agree'] == "No") { } else { echo "<p>Error: Please select an answer for question 1<br>"; echo "<a href='../survey.php?id=1'>Back</a></p>"; die; } if($_POST['placement'] == "") { echo "<p>Error: Please enter text for question 2<br>"; echo "<a href='../survey.php?id=1'>Back</a></p>"; die; } if($_POST['different_location'] == "Yes") { if($_POST['location'] == ""){ echo "<p>Error: It seems you selected yes for question 3. Please enter text for question 4.<br>"; echo "<a href='../survey.php?id=1'>Back</a></p>"; die; } } else if($_POST['different_location'] == "No") { } else { echo "<p>Error: Please select an answer for question 3<br>"; echo "<a href='../survey.php?id=1'>Back</a></p>"; die; } include('add_survey1.php'); } } else { echo "Error: Invalid survey id"; } ?> Both ip_check.php (One for selecting survey, other for if a user were to make their own form and submit) <?php session_start(); require('../config.php'); $ip = $_SERVER['REMOTE_ADDR']; include('connection.php'); $getid = mysql_real_escape_string($_GET['id']); $sql ="SELECT * FROM Survey_Responses WHERE `ip` = '$ip' AND `id` = '$getid'"; $result = @mysql_query($sql, $connection) or die(mysql_error()); $ip_check = mysql_num_rows($result); ?> add_survey1.php <?php session_start(); require('../config.php'); include('connection.php'); $ip = $_SERVER['REMOTE_ADDR']; $question1 = htmlentities($_POST['agree'], ENT_QUOTES); $question1 = mysql_real_escape_string($question1); $question2 = htmlentities($_POST['placement'], ENT_QUOTES); $question2 = mysql_real_escape_string($question2); $question3 = htmlentities($_POST['different_location'], ENT_QUOTES); $question3 = mysql_real_escape_string($question3); $question4 = htmlentities($_POST['location'], ENT_QUOTES); $question4 = mysql_real_escape_string($question4); $question5 = htmlentities($_POST['other_locations'], ENT_QUOTES); $question5 = mysql_real_escape_string($question5); $sql ="INSERT INTO Survey_Responses VALUES('1', '$question1', '$question2', '$question3', '$question4', '$question5', '$ip')"; $result = @mysql_query($sql, $connection) or die(mysql_error()); echo "Thank you for taking our survey. Your answers have been successfully recorded."; ?> Any help would be appreciated Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/ Share on other sites More sharing options...
maxudaskin Posted August 10, 2012 Share Posted August 10, 2012 An IP does not necessarily mean a computer. There can be many computers to an IP. What if the user is using a public computer (many responses, few IPs). Register the survey with an email. This allows you a reply-to address, as well as a way to weed out multiple survey submits. What ever system you use, unless you require a fingerprint scan, there is always the risk of multiple submissions. Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/#findComment-1368283 Share on other sites More sharing options...
Mahngiel Posted August 10, 2012 Share Posted August 10, 2012 Quote unless you require a fingerprint scan I have 10 fingers. @OP: Cookies, sessions, emails, it's nigh impossible to keep out people who want to fake a submission. Best thing you can do is determine what method will slow down the most amount of fakers. Email address submissions (useful, because you can build a mailing list to drive return visits - you just need to weed out fake emails), user registration, captcha, ip time-outs, etc. Just bear in mind, even in the real world statistics have margins of error. Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/#findComment-1368287 Share on other sites More sharing options...
ignace Posted August 10, 2012 Share Posted August 10, 2012 Quote Quote unless you require a fingerprint scan I have 10 fingers. Require a DNA sample Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/#findComment-1368290 Share on other sites More sharing options...
scootstah Posted August 10, 2012 Share Posted August 10, 2012 Remove the @ in front of mysql_query(). Suppressing errors isn't a good thing to do, and mysql_query() doesn't output anything if a query fails. Also, remove the or die(mysql_error())'s when you go to production. In production you should be logging the errors, not displaying them to the public - especially SQL errors. All the user has to know is that something went wrong. Maybe send a "500 - Internal Server Error" header or something. Link to comment https://forums.phpfreaks.com/topic/266886-survey-security/#findComment-1368293 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.