-1

So I'm trying to block voting for 24hours after a user has already voted, and I've been stuck for a while now. I tried working off this earlier post but I haven't had any luck. I was able to echo the ip address but not the vote_time

I have a database with a table named voterlist that has two columns: submission_ip and vote_time. (the time is formatted like this date("Y-m-d H:i:s",time()) )

My php looks like this:

<?php
$ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$query = "SELECT vote_time FROM voterlist WHERE submission_ip ='$ip'"; 
$result = mysql_query($query);
if(mysql_num_rows($result) < date('Y-m-d H:i:s',strtotime('-24 hour'))) {
   echo 'you can vote again in 24 hours';
}else { 
   echo 'vote now';
}
?>

Any help with this query would be greatly appreciated.

Community
  • 1
  • 1
Mike
  • 43
  • 2
  • 7
  • 7
    Blocking by IP is a bad idea. Do you want to block a whole company after one employee has voted? –  Jan 22 '15 at 21:45
  • You can't judge IP as a vote - which is why some kind of registration is usually required to vote. If the vote can be wrong (not an important vote) then basing it off IP will work fairly well. – Xeoncross Jan 22 '15 at 21:46
  • I wrote a very, very simple [PDO Wrapper](https://github.com/Xeoncross/DByte) for people like you who need to migrate off old php-mysql commands (to pdo-mysql). – Xeoncross Jan 22 '15 at 21:49
  • See : http://stackoverflow.com/q/17338848/656243 – Lynn Crumbling Jan 22 '15 at 21:52
  • And : http://stackoverflow.com/q/17013424/656243 – Lynn Crumbling Jan 22 '15 at 21:53
  • And : http://stackoverflow.com/q/10618281/656243 – Lynn Crumbling Jan 22 '15 at 21:53
  • And: http://stackoverflow.com/q/8154564/1544337 –  Jan 22 '15 at 21:58
  • If I were you, I'd always tell them they can vote again in 24 hours, and if there's another vote from the same IP address within the last 24 hours, just throw it away. This way, people won't have a bad user experience if they share an IP address, and your voting counts will still likely be "good enough". – Marcus Adams Jan 23 '15 at 00:50

1 Answers1

2

In your line 

if(mysql_num_rows($result) < date('Y-m-d H:i:s',strtotime('-24 hour'))) {

What are you trying to do here exactly?

The first term, mysql_num_rows($result) is the amount of rows the query returned. The second term, date('Y-m-d H:i:s',strtotime('-24 hour')) is some date string, like 2015-01-25 22:47:00. You're comparing them, why?

Instead, check for the date in the query:

SELECT vote_time FROM voterlist WHERE submission_ip ='$ip' AND `vote_time` > timestampadd(day, -1, now())

Then, if mysql_num_rows($result) gives you 1 or more, that means there is a record, so there has been a vote in the last 24 hours. If the number of rows is 0, there has not been a vote in the last 24 hours.

Besides that, blocking by IP is a bad idea. Do you want to block a whole company after one employee has voted? You could use authentication with some OpenID provider to ensure people only vote once, however, privacy may be an issue. If you have a list of the people who are allowed to vote (and it's not 'everyone') you could look into systems as RIES, which was used in some elections in the Netherlands a few years ago. (In 2008 the software was released and shown to have extensive security problems.)

Also note that the mysql_* functions have been deprecated (docs) in favour of PDO_MySQL and mysqli_*.

  • Thanks for the help Camil. I'm taking your advice on not blocking by IP. I'm now trying to do it by email address and vote_time – Mike Jan 26 '15 at 22:06