1

I have setup a polling system, where when you vote it stores your external IP using:

$_SERVER['REMOTE_ADDR'];

It stores this in a database called IPlist. It also sets a cookie. In the polling page if the cookie is set or the number of mysql_num_rows is greater than 1 it disables the radio boxes. This is to prevent re-voting.

However some computers have the same external IPs. These can be hundreds at one time like at my school. If I vote on one computer nobody can vote at my school again.

Is there any way to get around this. For example to find the number of computers in the network then change mysql_num_rows. Or to find a unique Constant variable on every computer to store in a database.

Thanks.

WWW
  • 9,734
  • 1
  • 29
  • 33
ananonymouspigeon
  • 15
  • 2
  • 3
    If you're really concerned about anonymous users gaming your polling system, make them log in and tie the poll results to a user. – Jim H. Nov 10 '11 at 19:16
  • Something that would allow you to find out how many computers are in a network that doesn't belong to you would be a heck of a security problem. – NullUserException Nov 10 '11 at 19:18
  • I DON'T care about the anonymity of the users – ananonymouspigeon Nov 10 '11 at 19:18
  • For a simple solution, you can set a cookie on the browser when they vote and deny resubmission when the cookie is present. However, this is highly unreliable as the user can simply delete the cookie and revote. – nickb Nov 10 '11 at 19:19
  • If having a login system to do the votes is out of the question, then you're just going to have to trust cookies. So you'd end up having to change your logic from "if the cookie is set *or* the number rows..." to "if the cookie is set". – WWW Nov 10 '11 at 19:19
  • There is another problem: sometime people share their computer with other persons (in families, for example). If you solve your problem, they still won't be able to vote if another person voted from the same computer.What you need is to allow one vote per person, which is usually achieved with an account system. – greg0ire Nov 10 '11 at 19:21

2 Answers2

4

There's no way at all to know in advance how many devices are behind a given IP address... in fact, things are much worse than you think for AOL users (there can be tens of thousands of computers behind a given IP address (AOL Proxy).

If you're not too worried about securing the result you can drop a cookie. Otherwise, as one of the commenter suggests, a login system is a good, standard approach.

Eric J.
  • 147,927
  • 63
  • 340
  • 553
2

There is not 100% way to ensure that one person is making multiple votes. The best you can do is to make it difficult. Tie it with an email address and use something like catcha to ensure non-automated voting. Could fire off an email that requires a response to confirm the vote.

Ed Heal
  • 59,252
  • 17
  • 87
  • 127
  • Captcha has been broken since 2008. There are libraries that bot writers can use to auto-break Captcha. – Eric J. Nov 10 '11 at 19:21
  • I know - Just the thing off the top of my head - the sentiment was just make it difficult. I did say *something like* – Ed Heal Nov 10 '11 at 19:25
  • @Erik, that is true... http://en.wikipedia.org/wiki/Tesseract_(software) exists and works really well with a lot of training data. However, if the `winner` from this poll is not rewarded with some tangible prize, and the captcha is not one that already has the requisite files generated, then I think captach is a *very* good solution. – sberry Nov 10 '11 at 19:27
  • @sberry2A: There are API's that can break fairly arbitrary Captcha's using OCR, without a pre-generating any files. See the accepted answer here http://stackoverflow.com/questions/448963/has-recaptcha-been-cracked-hacked-ocrd-defeated-broken – Eric J. Nov 10 '11 at 23:02