1

Have had a couple questions answered very nicely here and I've got some more trouble someone can probably help with:

I have SQL database that holds a poll question answer and a user IP address. Here is my (now working!) PHP code:

  // check to see if user has already voted
  $current_user = $_SERVER['REMOTE_ADDR'];
  $select_query = "SELECT * FROM w_poll_counter WHERE user_IP = '" . $current_user ."';";

  $result = mysql_query($select_query);

  if($result)
  {
    $row = mysql_fetch_array($result);
    $user_from_db = $row['user_IP'];

    if($current_user === $user_from_db)
    {
      //user already voted - show results page
      header("Location: scripts/show_results.php");
      exit();
    }
  }

The code works great, except there's one problem... After a user votes and sees the results page, they can click the browser's 'back' button and then simply vote again, since the code to check their IP address doesn't run in that instance.

What do I need to do to fix this issue?

Thanks!

BigRob250
  • 35
  • 1
  • 5
  • You have to add the check for the ip-address before executing the update statement. Are you showing the code which opens the site on which the poll is shown? – Philipp Jul 15 '16 at 20:55
  • This code excerpt is from a file called 'voting.php' and is the first bit of code executed when a user click the link to 'Vote in the weekly poll'. The problem is that when a user votes and lands on the 'show_results.php' page, they can click their 'back' button in the browser to return to 'voting.php' and since it is in their browser cache, the code does not execute. This allows them to vote again. – BigRob250 Jul 15 '16 at 20:59
  • don't insert if the ip's already in the database, and try to prevent the back button by marking the poll page as non-cacheable. – Marc B Jul 15 '16 at 20:59
  • Marc, thank you! That's the answer I needed! How do I vote your answer as correct? I don't see the button. – BigRob250 Jul 15 '16 at 21:01
  • As a unique constraint on the table and you won't need logic to determine of they voted already – Jeff Jul 16 '16 at 02:30

1 Answers1

0

Check if the user has already voted before executing your update statement.

Also you should take better care, your script is very vulnerable to sql injections. https://stackoverflow.com/a/60496/3595565

I can show you this example of an implementation via pdo:

$pdo = new PDO('mysql:host=localhost;dbname=test;charset=utf8;', 'dbUser', 'dbPassword');

$stmtCheck = $pdo->prepare("SELECT * FROM w_poll_counter WHERE user_IP = ?");
$stmtCheck->execute(array($_SERVER['REMOTE_ADDR']));
$result = $stmtCheck->fetchAll(PDO::FETCH_ASSOC);

if(count($result) === 0){
    //update
}
Community
  • 1
  • 1
Philipp
  • 2,787
  • 2
  • 25
  • 27
  • 1
    Thank you Philipp. Right now with no traffic to my site I am just trying to get everything running correctly. I've only just learned PHP and I appreciate you pointing me in the right direction. My next step will be to implement via pdo, as other respondents have pointed out I should be doing. – BigRob250 Jul 15 '16 at 21:09