Jump to content

Survey Security

MDCode

By MDCode
in PHP Coding Help

 Share

Recommended Posts

MDCode Member

MDCode

Posted
Posted

I am making a survey feature for my website.  Nothing is wrong with the current security (that I know of :s)  I was actually wondering what I could do to improve the security.  Sorry for the lack of organization I have no code editor on this computer.

 

submit_survey.php

<?php			
require('check/ip_check.php');			
if($id == "1"){
if($ip_check != "0") {
echo "<p>Error: You have already taken this survey.<br>";
echo "<a href='../index.php'>Back</a></p>";
die;
}
else {
if($_POST['agree'] == "Yes") {
}
else if($_POST['agree'] == "No") {
}
else {
echo "<p>Error: Please select an answer for question 1<br>";
echo "<a href='../survey.php?id=1'>Back</a></p>";
die;
}
if($_POST['placement'] == "") {
echo "<p>Error: Please enter text for question 2<br>";
echo "<a href='../survey.php?id=1'>Back</a></p>";
die;
}
if($_POST['different_location'] == "Yes") {
if($_POST['location'] == ""){
echo "<p>Error: It seems you selected yes for question 3.  Please enter text for question 4.<br>";
echo "<a href='../survey.php?id=1'>Back</a></p>";
die;
}
}
else if($_POST['different_location'] == "No") {
}
else {
echo "<p>Error: Please select an answer for question 3<br>";
echo "<a href='../survey.php?id=1'>Back</a></p>";
die;
}
include('add_survey1.php');
}
}
else {
echo "Error: Invalid survey id";
}

?>

 

Both ip_check.php (One for selecting survey, other for if a user were to make their own form and submit)

<?php
session_start();

require('../config.php');

$ip = $_SERVER['REMOTE_ADDR'];

include('connection.php');

$getid = mysql_real_escape_string($_GET['id']);

$sql ="SELECT * FROM Survey_Responses WHERE `ip` = '$ip' AND `id` = '$getid'";

$result = @mysql_query($sql, $connection) or die(mysql_error());

$ip_check = mysql_num_rows($result);
?>

 

add_survey1.php

<?php
session_start();

require('../config.php');
include('connection.php');

$ip = $_SERVER['REMOTE_ADDR'];

$question1 = htmlentities($_POST['agree'], ENT_QUOTES);
$question1 = mysql_real_escape_string($question1);

$question2 = htmlentities($_POST['placement'], ENT_QUOTES);
$question2 = mysql_real_escape_string($question2);

$question3 = htmlentities($_POST['different_location'], ENT_QUOTES);
$question3 = mysql_real_escape_string($question3);

$question4 = htmlentities($_POST['location'], ENT_QUOTES);
$question4 = mysql_real_escape_string($question4);

$question5 = htmlentities($_POST['other_locations'], ENT_QUOTES);
$question5 = mysql_real_escape_string($question5);

$sql ="INSERT INTO Survey_Responses VALUES('1', '$question1', '$question2', '$question3', '$question4', '$question5', '$ip')";

$result = @mysql_query($sql, $connection) or die(mysql_error());

echo "Thank you for taking our survey.  Your answers have been successfully recorded.";

?>

 

Any help would be appreciated :)

Link to comment
Share on other sites
maxudaskin Advanced Member

maxudaskin

Posted
Posted

An IP does not necessarily mean a computer. There can be many computers to an IP. What if the user is using a public computer (many responses, few IPs).

 

Register the survey with an email. This allows you a reply-to address, as well as a way to weed out multiple survey submits. What ever system you use, unless you require a fingerprint scan, there is always the risk of multiple submissions.

Link to comment
Share on other sites
Mahngiel Member

Mahngiel

Posted
Posted
unless you require a fingerprint scan

 

I have 10 fingers. ;)

 

@OP: Cookies, sessions, emails, it's nigh impossible to keep out people who want to fake a submission.  Best thing you can do is determine what method will slow down the most amount of fakers.  Email address submissions (useful, because you can build a mailing list to drive return visits - you just need to weed out fake emails), user registration, captcha, ip time-outs, etc. Just bear in mind, even in the real world statistics have margins of error.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

Remove the @ in front of mysql_query(). Suppressing errors isn't a good thing to do, and mysql_query() doesn't output anything if a query fails.

 

Also, remove the or die(mysql_error())'s when you go to production. In production you should be logging the errors, not displaying them to the public - especially SQL errors. All the user has to know is that something went wrong. Maybe send a "500 - Internal Server Error" header or something.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.