--=-jVU2ncu1jzTKbkR5R7hz
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hi All,
Can someone suggest a reputable vote script in php that uses mysql,
doesnt need to be fancy, just have a decent reputation for not
being exloited :) also tracking of users via IP to prevent ghost
voting...WE are using php 5.3.0, the old one fails under that, adn it
had known issues so we dumped it...
TIA
--=-jVU2ncu1jzTKbkR5R7hz--
At 9:52 PM +1000 8/27/09, Noel Butler wrote:
>Hi All,
>Can someone suggest a reputable vote script in php that uses mysql,
>doesnt need to be fancy, just have a decent reputation for not
>being exloited :) also tracking of users via IP to prevent ghost
>voting...WE are using php 5.3.0, the old one fails under that, adn it
>had known issues so we dumped it...
>
>TIA
Noel:
I think you'll run into exploitation problems regardless.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
At 7:18 AM +1000 8/28/09, Noel Butler wrote:
>On Thu, 2009-08-27 at 10:55 -0400, tedd wrote:
>>
>>I think you'll run into exploitation problems regardless.
>
>I'm getting that impression from the hours and hours I wasted
>yesterday prior to my post trying to find a good one :(
There's not going to be a system that blocks people from voting more
than once UNLESS you require each person to register via a unique id,
If that's the case, then you can collect valid one-person votes.
However, the net is not going to provide you with an unique ID. You
can use an email address, which is unique, but anyone can have any
number of email addresses and vote for each one.
You might try to use the reported IP of the submitter, again unique,
but that can be forged -- so again anyone can vote more than once.
If the votes are not important, then you can get a fair estimate by
using something like this:
http://php1.net/b/flash-poll/
However, if the vote is important (one person/one vote), then
unfortunately there is no way to guarantee a one-person/one-vote
system by using just the net. You must have someway to specifically
identify the person voting, such as a driver license #, ss#, visa, or
something you mailed them -- you can't rely on anything from the net.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
> You might try to use the reported IP of the submitter, again unique, but
> that can be forged -- so again anyone can vote more than once.
Can you say more about forging the reported IP? I've always been under
the impression that forging the source IP in a TCP session is a pretty
sophisticated operation, but maybe I'm mistaken about that.
Of course source IP isn't a reliable unique-ID, for the opposite
reason also: forward proxies, NAT, etc., make it pretty likely that
several users will come to the site from the same IP. So you'd end up
incorrectly refusing legitimate votes.
Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
From: Ben Dunlap
>> You might try to use the reported IP of the submitter, again unique,
but
>> that can be forged -- so again anyone can vote more than once.
>=20
> Can you say more about forging the reported IP? I've always been under
> the impression that forging the source IP in a TCP session is a pretty
> sophisticated operation, but maybe I'm mistaken about that.
Forging IP addresses is actually quite simple. VMs do it all the time
when bridged to the real NIC. There are also some projects on Source
Forge designed to load test HTTP servers that do similar things. I have
an application I wrote for testing that can emulate an entire class B
subnet full of computers. All it takes is a little digging around on
Google, a FreeBSD system installed in a VM and a little knowledge of the
local network topology. In my case I have several blocks of addresses
allocated by the local administrator for this test bed.
Bob McConnell
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--=-6TBH2ZyT3RroBU6366wP
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Fri, 2009-08-28 at 08:33 -0400, Bob McConnell wrote:
>
> Forging IP addresses is actually quite simple. VMs do it all the time
> when bridged to the real NIC. There are also some projects on Source
> Forge designed to load test HTTP servers that do similar things. I have
> an application I wrote for testing that can emulate an entire class B
> subnet full of computers. All it takes is a little digging around on
> Google, a FreeBSD system installed in a VM and a little knowledge of the
> local network topology. In my case I have several blocks of addresses
> allocated by the local administrator for this test bed.
>
> Bob McConnell
sorry if this explodes your bubble, but you dont need freebsd to do
it :)
--=-6TBH2ZyT3RroBU6366wP--
From: Noel Butler
> On Fri, 2009-08-28 at 08:33 -0400, Bob McConnell wrote:
>=20
> Forging IP addresses is actually quite simple. VMs do it all the
time
> when bridged to the real NIC. There are also some projects on
Source
> Forge designed to load test HTTP servers that do similar things.
I have
> an application I wrote for testing that can emulate an entire
class B
> subnet full of computers. All it takes is a little digging
around on
> Google, a FreeBSD system installed in a VM and a little
knowledge of the
> local network topology. In my case I have several blocks of
addresses
> allocated by the local administrator for this test bed.
>
> sorry if this explodes your bubble, but you dont need freebsd to do it
:)
Yes, I know. I only mentioned FreeBSD because I have actually used it.
It was already available in a VM because I was playing with DummyNet for
another test bed project. But I haven't tried similar tasks on Linux
yet.
Bob McConnell
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php