0

Let's say I want to open a simple, simple poll which could be hand-made via PHP. There are only two options. Option A or Option B. Without telling people to register, what is the most secure way to deter cheating?

If possible, I would like to use MySQL to store the data such as the votes. I am not asking for code, I am asking for ways on what I should do.

I say no registering because it puts people off just for a simple vote...

Thank you and have a good day.

test
  • 17,706
  • 64
  • 171
  • 244
  • 2
    i would ignore the ip and use a cookie, still registration is the only reliable option. –  Sep 09 '11 at 03:39
  • See my answer here: http://stackoverflow.com/questions/1246705/limit-1-vote-per-ip-address/1246722#1246722 – RiddlerDev Sep 09 '11 at 03:42
  • It's just a simple poll: pancakes or waffles... nothing too serious o_O – test Sep 09 '11 at 18:33

4 Answers4

4

There is no "good" way, let alone a "secure" way. Store their IP address, and don't allow additional votes from that IP. People behind NAT get screwed, but it's really the only thing you can do.

Alternatives include sending them a cookie which prevents them from voting twice, but that is trivially circumvented by even the most tech-unsavvy user.

user229044
  • 232,980
  • 40
  • 330
  • 338
2

Give each voter an ever cookie. It's sneaky as all hell, and some people take issue with them, but if you want a fairly good guarantee this is probably it.

Chris Eberle
  • 47,994
  • 12
  • 82
  • 119
1

Defence in depth. Store as much identifying information as you can.

Store IP address, browser agent, host address, host name ... everything you like the look of, in your MySQL table. If ALL of these match, then it's someone trying to dupe.

Set a cookie to stop them voting. If this exists, they're trying to dupe.

Set a flash cookie to stop them voting (entirely different to normal cookies, get Googling :P) If this exists, they're trying to dupe.

Plus anything else you can think of. There will always be ways to get around it, of course, as it's always extremely hard to say "yes, that almost untraceable request came from that person", but it's more about making it a MASSIVE pain in the ass to beat the system with something like this.

Joe
  • 15,669
  • 4
  • 48
  • 83
  • This looks the most plasuable way... thanks. However I don't know what a flash cookie is so I'll stick with regular cookie. – test Sep 09 '11 at 03:47
  • Quick read on flash cookies - http://www.ghacks.net/2007/05/04/flash-cookies-explained/ They're VERY invasive (and therefore highly unethical), but if you want to track people for something like this, really bloody useful :P – Joe Sep 09 '11 at 03:48
  • 2
    Nothing, *nothing* about this is a massive pain-in-the-ass to circumvent. Every single thing is circumvented by using wget or curl, which don't accept cookies or flash cookies and submit no user agent string. Everything you mentioned is trivially easy to forge. – user229044 Sep 09 '11 at 04:02
  • "Plus anything else you can think of. There will always be ways to get around it, of course". I'm not trying to pretend that it's actually secure, we all know it's not. There are other things you can do to make things awkward, and you should, but at the end of the day, it will ALWAYS be possible to circumvent it. – Joe Sep 09 '11 at 04:12
-1

IP is the way to go without registration. You could also get and check against the useragent in addition to the IP address, this might allow for a few more people who are using different computer configurations from the same IP address. Good luck.

Adam
  • 1,080
  • 1
  • 9
  • 17
  • IP is definitely not the preferred choice... too many proxy servers and NAT routers and ISPs that reuse IPs... – RiddlerDev Sep 09 '11 at 03:44
  • The question is about a simple, simple poll on OPs website. IP/useragent would be effective option for this because it's simple. It's doubtful that most of the visitor's IP addresses would change before the poll became stale. – Adam Sep 09 '11 at 04:25