Restrictrions on voting

Question

I've asked this question before but now i'll be more specific.I have a voting system where anyone can vote(no need to be a registered user).I want to allow users to vote only once.The best way, i guess,would be via booleans,wouldn't it?So i'm just asking you to show me a better way to do it.Here is the code:

<?php
$tries=0;
if (((isset($_POST['hidden']))&&$tries<2) {
    $tries++;
    $likes++;
    $up = mysql_query("Update videos SET Likes='$likes' WHERE Name='$name'");
}
?>

oh boy. you are getting in deep here. Have you heard of all the companies that have been burned by online voting with no registration? See Mountain Dew.... Also, this `$tries` variable you have will never not be zero, as it is reset every time the PHP script is executed. — thatidiotguy, Mar 12 '13 at 16:13
"No need to be a registered user" - "allow users": make up your mind man : )) Anyway no, consider using OAuth to login via FB/Twitter/whatever so registration is not needed, and uniqueness is [kind of] safe. — moonwave99, Mar 12 '13 at 16:15
I do know,i wouldn't ask this question if it worked only with registered users.That's the way it's supposed to work — user2120032, Mar 12 '13 at 16:15
This is fairly broad, we need more detail about the user system and so on — Tom Walters, Mar 12 '13 at 16:15

score 1 · Answer 1 · answered Mar 12 '13 at 16:15

1

If the user is not registered you really cannot tell if h'es voted before. Some common ways (which are far from being bullet proof) are to keep a log of votes per IP for some time (so if the log table contains the IP for this content do not accept the vote), or use cookies to know if the person has voted.

None of the above is 100%! That's why most companies don't allow anonymous voting.

answered Mar 12 '13 at 16:15

Nick Andriopoulos

10,313
6
32
56

Was thinking of saying something like this but with the proviso that IP addresses can, and will, be spoofed. – Daniel Hollinrake Mar 12 '13 at 16:16
1

as I said, it's far from 100%. Even if not spoofed, blocking an IP on a mobile friendly site, usually blocks one of the carrier gateways, so effectively after a few votes a whole carrier is blocked (NAT). – Nick Andriopoulos Mar 12 '13 at 16:17
Very true. And blocking IP addresses can in theory lead to people not gaining access through no fault of their own. – Daniel Hollinrake Mar 12 '13 at 16:19

score 0 · Answer 2 · answered Mar 12 '13 at 16:27

I know one startup that needed almost the same thing you need. They implemented some controls like this website

https://panopticlick.eff.org/index.php?action=log&js=yes

Which tells you this:

Your browser fingerprint appears to be unique among the 2,762,716 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 21.4 bits of identifying information.

This means that it generates a fingerprint of you user agent, SO and other parameters. This is not a standalone implementation, because thats not 100% efective. They also implemented a manual vote validation methodology, which handles those results of the fingerprint that didn't suit the filter.

Applying this to your case. You will need to implement this fingerprint solution (or another one like that) and manually check the exceptions (the more users / votes, more exceptions).

Hope it helps.

Restrictrions on voting

2 Answers2