[SOLVED] An Easy one for you guys!

[bri4n]

Hi guys!

 

I just need some advice on how to fix this. I have a "voting page". I want to stop a person from voting endlessly, so I am using $_SESSION to prevent this.

 

On the first page I have before any output:

 

<?php

session_start();

?>

 

Later in the code I set a $_SESSION variable:

/*Set Session Variable. Gets unique IP address and stores it as a Session variable*/

$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDRESS'];

 

As you can see in the comment, this is supposed to get the visitors IP address and store it as a SESSION variable.

 

Once the user clicks the form's submit button, the "show_votes.php" page will be processed. Here is the code for the form:

 

echo "<form action='showvotes.php' method='POST'>\n";

echo "<p>Vote for your favourite charity</p>\n";

while($row= mysql_fetch_array($result, MYSQL_ASSOC))

{

echo "<input type=\"radio\" name=\"vote\" value=" . $row['choice'] . ">". $row['charity'] . "<br/>\n";

 

}

 

echo "<p><input type='submit' value='Vote'>\n";

echo "</form>\n";

echo "<p><a href='showvotes.php'><b>See the vote totals!</b></a></p>\n";

 

It is this "showvotes.php" page that seems to be the problem, as it allows the visitor to go back to the vote page, and vote again, instead of producing the message I have created. Here is the code for the "showvotes.php" page (again this starts) with the following at the top of the page:

 

<?php

session_start();

?>

 

The code that I have to check if the $_SESSION varible is set:

 

<?

if (isset($_SESSION['user_ip'])){

echo "You have already voted. Please come back tomorrow to vote gain.";

}

else {

/*Connect to server and database*/

include("include/assorted.inc.php");

$connection=mysql_connect($host,$user,$password)

or die("Could not connect to the server");

$db=mysql_select_db($database,$connection)

or die("Could not connect to the database");

/*End of server and databse connect*/

[/b]

 

As you can see the latter part of this code connects to the database and the rest of the code (not included above) updates the various voting totals.

 

Can someone give me any pointers as to what I may have missed, or messed up in the code? Again here si what I am trying to achieve: Users can't vote endlessly, once the user has submitted their vote they will not be allowed to vote again until the next day (I am relying on the automatic "Session Life") to prevent a user from doing so.

 

Thanx for any help!

Brian 

 

 

 

[teng84]

session life? maybe cookies is what you mean :-\

[kratsg]

Don't use sessions. Just get a cookie to expire at infinity o_o

[bri4n]

Hi teng84!

 

I want to avoid cookies seeing the users can have their browser set to not accept cookies. What I meant was that $_SESSION variables have a default time where they expire (if the code isn't set to unset the $_SESSION variable, or to destroy the variable).

 

It is this that I want to use in the timing...

 

Thanks for any help or advice you can provide! 

 

TIA,

Brian 

[smithygotlost]

Why not write the ip to the database and do an if function ?

 

create a table called vote

and add to you insert code when users vote

$ip = $REMOTE_ADDR;

mysql_query("insert into vote (ip} values('$ip')")or die("Could not add to log."); 

 

<?php

//get user IP address
$userip = $_SERVER['REMOTE_ADDR'];

$vote = mysql_query("select * from vote where ip=$userip");

//check if IP address has voted
if($userip == $vote){ 
    echo "<BR>You Have Already Voted";

    exit(); 
}

else {

   echo" CODE TO APPLY THE VOTE ";


}

//continue with script...

?>  

 

i think thats right lol its too late for this 4am

 

mike

[bri4n]

Hi smithy!

 

That would work. But one thing that would concern me is that if someone is assinged a static IP address, then they could only vote once, and never again. Unless they get assigned a new IP address...what's your take on this?

 

Thanx,

Brian :-)

[prime]

Only other way would be to make someone registry and verify an email.

 

and only one one user per address.

 

depends how secure you want it to be I guess, you could add in a lot of stuff and use them in combination.

 

cookies, ip, registered email addresses.

 

as I said its just a matter lf how secure or convenient you want it to be

[ryeman98]

I'm not exactly sure if this will work but maybe you could try to register the session like this:

 

session_set_cookie_params(30 * 60, "/");
session_start();
print_r(session_get_cookie_params());

// Session will expire in 30 minutes. (minutes * seconds)

[bri4n]

Hey Ryeman!

 

Where about's should I place the code you have supplied? If I put it at the top of the first page (being the voting page) I get the following printed at the top of the page:

 

Array ( [lifetime] => 1800 [path] => / [domain] => [secure] => )

 

Thanx,

Brian :-)

[smithygotlost]

if your voting daily then ur probally gonna be checking daily so why not have an area where u click say

 

__________

| BUTTON  |

------------

 

and then it clears the ips in the vote table ?       

[bri4n]

Hi Smithy!

 

I don't foresee myself checking the totals daily...so the button idea, though good, would mean that I have to spend more time than I want to, checking everything.

 

Is there a way that I can capture the IP address and then post it and then employ a $_POST variable (when the user hits the "Vote" button) along with the $_SESSION variable?

 

Thanx,

Brian :-)

[teng84]

You cant use ip address because there might be a different people who will use that ip or pc

maybe you can just have a login system were the member user can only vote once.

 

In this case it would be easier all you have to do is save the time that the person vote and block that user on tha given time eg. 24 hours

[roopurt18]

Since HTTP is an anonymous, stateless protocol there is no method that does 100% what you'd like it to.  All methods of being able to uniquely identify a particular user are strictly opt-in and they all occur on the client side.

 

As pointed out, you can't use IPs.  While every computer in a school's computer lab might have a different IP internally to the school's network, I believe they all live behind the same IP as far as the outside world is concerned.  So if you block by IP and someone in the computer lab votes you'll lock out everyone else in the lab.

 

Cookies provide the only method of uniquely identifying a machine for any length of time.  You're right that a user can disable them, but 99% of the time sessions use a cookie as well so it's a moot point.  In other words, if cookies are turned off, your session solution won't work either.

 

I'd recommend using cookies.  Most people aren't going to go to the trouble of repeatedly deleting a cookie just to submit a poll answer multiple times.  If the polls are so important that you really want to block multiple submissions securely (and you still can't really), then require users to have an account with a valid e-mail address.

[bri4n]

Hi guys!

 

Thanks for all your input and advice. Seems like I'll just stick with the status quo and leave things as they are...I just put it out there to see if there was a way of getting around the issue.

 

I really appreciated the input offered here..

 

Thanx,

Brian