1

I'm implementing a voting system like Stackoverflow's. How can I implement this so it is hack proof?

I've got some PHP that does database work according to the ajax request sent after the javascript parses it. Would doing a query to check the current vote state of a user be enough to avoid unauthorised votes?

el_pup_le
  • 11,711
  • 26
  • 85
  • 142
  • 4
    Any serious "hack proofing" would have to take place on server side, so I guess you should ask about that instead – Pekka Dec 22 '11 at 11:34
  • 2
    The hack-proofness is *always* done on the server, not the client. Your JavaScript can be manipulated/ disabled by *anyone*. Your PHP code can't. – Matt Dec 22 '11 at 11:34
  • The most important thing to keep in mind is that while front end validation will be useful for presentation and reducing server requests it is not a suitable place for core validation. Use your php code to validate the votes. – CBusBus Dec 22 '11 at 11:36
  • This type of question might be a better fit at the [codereview.SE] site. – Merlyn Morgan-Graham Dec 22 '11 at 11:38
  • 1
    Are you sure your question has been answered? – Gumbo Dec 22 '11 at 16:28
  • @Gumbo I've opened the question again. – el_pup_le Dec 23 '11 at 02:18

2 Answers2

7

It is definitely possible to implement pretty reliable solution. But this must be done server-side.

Basic rule of security: you don't trust client data.

Move all your checks to PHP and make your javascript as dumb as 

$(".vote").click(function(e) {
    $.post('/vote.php', vote_data, function(result) {
        // update UI according to returned result
    }
}

It's a common thing, however, to still do checks on the client, but as a way to improve usability (mark required form fields that weren't filled) or reduce server load (by not sending obviously incomplete data). These client checks are for user's comfort, not for your security.

Answering to your updated question:

If you store full log of when which user voted for which question, then yes, it's pretty easy to prevent multiple voting (when user can vote for the same thing several times). Assuming, of course, that anonymous votes are not allowed.

But if you have a popular site, this log can get pretty big and be a problem. Some systems try to get away by disabling voting on old articles (and removing corresponding log entries).

What if someone intentionally tries to hack me?

There are different types of attacks a malicious user can perform.

CSRF (cross-site request forgery)

The article lists some methods for preventing the attack. Modern Ruby on Rails has built-in protection, enabled by default. Don't know how it is in PHP world.

Clickjacking

This attack tricks users into clicking on something what isn't what they think. For example, they may click "Play video", but the site will intercept this click and post on user's wall instead.

There are some articles on the Web as well.

Community
  • 1
  • 1
Sergio Tulentsev
  • 226,338
  • 43
  • 373
  • 367
  • 1
    CSRF? Clickjacking? you get a -1. – rook Dec 22 '11 at 15:33
  • 2
    It is a pretty salient point though. +1 to @Rook. Whilst a lot about your answer is excellent, all the answers so far have only really addressed relatively legitimate and honest user-behaviour --primarily focussing on stopping duplicate votes. You also need to consider how to stop the system being gamed by malicious users stealing others' votes, before they get a chance to (intentionally) cast their own vote choice, themselves. If I can get 10,000 users to vote on my behalf, without them realising that they are doing it, i don't need duplicate votes to game the results. – Cheekysoft Dec 22 '11 at 16:19
  • I didn't say I don't agree with you two. Updated the post – Sergio Tulentsev Dec 22 '11 at 17:11
0

NOTE: THIS IS AN ANSWER TO THE ORIGINAL QUESTION
Don't downvote it just because the OP radically changed his question.

It's a huge error even just thinking of relying on browser-side components to enforce application logic. Javascript should be used, in untrusted environments, exclusively for presentation purposes.

All application logic should be implemented, validated and enforced server-side.

Community
  • 1
  • 1
CAFxX
  • 28,060
  • 6
  • 41
  • 66
  • For the downvoters: the original question was totally different - it asked for feedback on a "hack-proof" JS script (yes, you read that right). [Click here](http://stackoverflow.com/posts/8603285/revisions) to see the original for yourself. – CAFxX Dec 22 '11 at 19:41
  • I most certainly did not ask that :P – el_pup_le Dec 23 '11 at 02:17
  • @amiawizard well, I think you did. You tagged your question with "php, **javascript, xss, jquery**" and you posted a **javascript** snippet **asking for feedback on it** ("Does this look spaghetti to you?"). Pardon me, but if that wasn't a question about javascript then it was horribly formulated. – CAFxX Dec 23 '11 at 08:41
  • @CAFxX The original question was “How can I implement this so it is hack proof? Does this look spaghetti to you?” – Your answer does only marginally answer it: client-side is not sufficient. But how can he actually implement such so that it is hack proof? – Gumbo Dec 23 '11 at 08:48
  • @amiawizard If that's the case I suppose I'll have to flag your question as "overly broad". Had you posted some PHP code, asking specific questions, this would have not been the case. – CAFxX Dec 23 '11 at 08:51