0

I am building a feature that allows a user to vote only once in every 24 hours.

Here is my database structure

 id ip        timestamp           userid
  9 127.0.0.1 2013-06-27 16:52:49 35

I used this function to get the user client up address, i am in localhost environment and it keep giving me localhost ip 127.0.0.1 instead of my public ip. Is there anything wrong with it? 

function get_client_ip() {
    $ipaddress = '';
    if (getenv('HTTP_CLIENT_IP'))
        $ipaddress = getenv('HTTP_CLIENT_IP');
    else if(getenv('HTTP_X_FORWARDED_FOR'))
        $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
    else if(getenv('HTTP_X_FORWARDED'))
        $ipaddress = getenv('HTTP_X_FORWARDED');
    else if(getenv('HTTP_FORWARDED_FOR'))
        $ipaddress = getenv('HTTP_FORWARDED_FOR');
    else if(getenv('HTTP_FORWARDED'))
        $ipaddress = getenv('HTTP_FORWARDED');
    else if(getenv('REMOTE_ADDR'))
        $ipaddress = getenv('REMOTE_ADDR');
    else
        $ipaddress = 'UNKNOWN';

    return $ipaddress;
}

Is there something wrong my logic for this feature, my idea is

1) first query tabel to see if ip for the user is persisted. If so, he/she voted 2) Check timestamp of vote against current timestamp, if his voting time is way before 24 hours, then allow him to vote again.

My concern is not with the timestamp, but with the ipaddress. I do not know if the function i built is good enough to get his ipaddress, even if he is behind proxy.

Advices appreciated. thanks

Cheers

Fallen
  • 4,435
  • 2
  • 26
  • 46
Slay
  • 1,285
  • 4
  • 20
  • 44
  • 6
    Your requests do not leave your computer, your web server is on your machine i assume, thus your IP address will always be 127.0.0.1. – Fracsi Jun 27 '13 at 09:00
  • 1
    This is a pretty bad function as it takes HTTP_CLIENT_IP first, which the user can change to be what they like. Also, `getenv('REMOTE_ADDR')` should really be `$_SERVER['REMOTE_ADDR']`. Personally I'd just use REMOTE_ADDR. – Rich Bradshaw Jun 27 '13 at 09:03
  • 3
    Using the IP is the second savest way of handling this. Better would be to require users to sign up (email, activation, bla...) and save the vote lock along with the ip in your database. Then switching the ip doesnt work, when he is using the same account. Creating a new account doesnt work, without reconnecting the router. However, there is no 100% Solution. – dognose Jun 27 '13 at 09:07

2 Answers2

1

I'm afraid but the only way to reliably determine if a user has already voted or not is to make them authenticate. Relying on the IP address won't work because the user can disconnect and reconnect to the internet and get a new IP or use a proxy. Relying on a cookie wont work either because a cookie can be easily deleted.

Anyway, if you want to stick with the IP address solution knowing that it wont work 100% check the solution to this question for a nice function to get the ip address: What is the most accurate way to retrieve a user's correct IP address in PHP?

Community
  • 1
  • 1
zekus
  • 848
  • 8
  • 16
0

Why you don't set a cookie? You set a 24h expiring time. I know thats not 100% secure but I can easily reconnect to internet to change my ip so ip check is "insecure" too.

if $_COOKIE["alreadyVoted"] throw new Exception(...)

http://php.net/manual/en/features.cookies.php

http://www.php.net/manual/en/function.setcookie.php

Hope this helps.

Daniele Vrut
  • 2,835
  • 2
  • 22
  • 32