Securing a PHP/MySQL poll system
I'm building a PHP/My开发者_如何学JAVASQL poll system and I was wondering if there's any more secure method than setting a cookie + saving user IP address and checking them later.
Thank you.
The problem with poll systems is that you want to be sure users can only vote once. This problem has no solution unless you ask for personal information which cannot be forged.
Yep, user/pass is the only way. If you want to keep it really simple while using user authentication, use Facebook Connect. Nowadays almost everyone has FB and in a few minutes you could have it running.
I agree with previous that most secure is to store vote and user account info (IDs).
But if you need simple vote without registration only way is:
- On client side use something more persistent (look at https://github.com/samyk/evercookie)
- On server side - store all possible info about voting guest user (OS, Browser, etc.)
- Perform sort of simple heuristic or conditions on this data (if os, IP, and some parameter is same this might be same user)
- Do not allow short time votes (if OS, IP and metric is same and time is less than X sec)
- Log maximal sort of information and adapt your system
- Properly inform user whats going on i.e. Your vote is been denied because you already voted etc.
- Refuse weird votes (no OS etc)
- Use MySQL indexes where is appropriate!
- You can also hash some portion of information and search only same hashes (IP, OS, Browser)
No, only thing you could do to secure a polling system is to require registration or valid email address.
Unless you're prepared to force people to create a user account (and then lock votes to an account) this is pretty much all you can do in my experience.
精彩评论