Using php to generate an image
Author |
Message |
ProgrammingFun
|
Posted: Thu Feb 24, 2011 7:59 pm Post subject: RE:Using php to generate an image |
|
|
wow, how would I go about countering that?
Perhaps I should just hope that no hacker happens to see the poll? |
|
|
|
|
|
Sponsor Sponsor
|
|
|
Tony
|
Posted: Thu Feb 24, 2011 9:31 pm Post subject: RE:Using php to generate an image |
|
|
You can't really, unless you have a login system. But even then that only works if the cost of creating new user accounts is greater than the value of a casted vote.
Re: any IP-based suggestions -- it's a school poll. All of the students will have the same IP, while at school. |
Tony's programming blog. DWITE - a programming contest. |
|
|
|
|
Sur_real
|
Posted: Thu Feb 24, 2011 9:43 pm Post subject: RE:Using php to generate an image |
|
|
oh...yeah, forgot about that lol
what about creating sessions, so the only way would be to reopen browser? That can limit it to a certain extend... |
|
|
|
|
|
ProgrammingFun
|
Posted: Thu Feb 24, 2011 10:03 pm Post subject: Re: RE:Using php to generate an image |
|
|
Sur_real @ Thu Feb 24, 2011 9:43 pm wrote: oh...yeah, forgot about that lol
what about creating sessions, so the only way would be to reopen browser? That can limit it to a certain extend...
How would I go about doing that? That sounds like a good solution....
Is there any way that I can hide the fact that there is a process.php? Would that protect it to some extent? |
|
|
|
|
|
Tony
|
Posted: Thu Feb 24, 2011 10:24 pm Post subject: RE:Using php to generate an image |
|
|
Sessions (cookies) are easily cleared. In fact, a lot of simple net libraries don't even keep track of cookies in the first place.
Quote: hide process.php
A form must submit to some location, and I can do the same. As much as you can try to obfuscate the locations / redirects / whatever, the system is conceptually vulnerable to a Replay Attack -- http://en.wikipedia.org/wiki/Replay_attack |
Tony's programming blog. DWITE - a programming contest. |
|
|
|
|
DemonWasp
|
Posted: Thu Feb 24, 2011 10:30 pm Post subject: RE:Using php to generate an image |
|
|
Ultimately, no, there's no real way to hide which URL you're submitting vote data to. It's easy enough to figure that out with Firebug or equivalents. If the computer can figure it out, a malicious user can figure it out.
The only real way to avoid multiple votes is to have an authentication system. If you don't want to make user accounts yourself, or correlate name-with-student-ID or similar, then you can't really do that. A simple measure would be to put a cookie on the user's system that says "I've already voted", but this could be trivially bypassed -- even accidentally -- by either a user who knows what they're doing, or by a user who has cookies disabled for whatever reason. See here: http://php.net/manual/en/features.cookies.php |
|
|
|
|
|
Dan
|
Posted: Fri Feb 25, 2011 6:35 am Post subject: RE:Using php to generate an image |
|
|
You could send an e-mail to each student who can vote with a link to the poll that cotains a unquie key in the url parameters that can be only used once.
Bascily you keep a table of keys, and once some one votes with that key you remove it's row from the database. This would require that you have some means of giving the students their keys or a url with their key in it.
Edit: Also keys should not be simple like: 1, 2, 3, 4, 5 but longer strings that are seemlingly random like:
5b19344e68b50229e839a07b0652fa71,
eb0a7a912cdfced0b68808dc8a98ac8e,
d58fb80e442e2644268475577e824ef6,
etc
But ensure that they are unique and have no obvious patter. For example you could take the hash of the students e-mail + a salt you never tell anyone. |
Computer Science Canada
Help with programming in C, C++, Java, PHP, Ruby, Turing, VB and more! |
|
|
|
|
DemonWasp
|
Posted: Fri Feb 25, 2011 8:29 am Post subject: RE:Using php to generate an image |
|
|
If you have all the student email addresses, wouldn't it be simpler to build a system that only accepts one vote per registered email address (each student votes with their email address as ID)? |
|
|
|
|
|
Sponsor Sponsor
|
|
|
Dan
|
Posted: Fri Feb 25, 2011 9:18 am Post subject: Re: RE:Using php to generate an image |
|
|
DemonWasp @ 25th February 2011, 8:29 am wrote: If you have all the student email addresses, wouldn't it be simpler to build a system that only accepts one vote per registered email address (each student votes with their email address as ID)?
You would still have to authenticate the e-mail some how, or students could use other students vote if they knew their e-mail. So either way you would have to send the e-mail some kind of key. |
Computer Science Canada
Help with programming in C, C++, Java, PHP, Ruby, Turing, VB and more! |
|
|
|
|
DemonWasp
|
Posted: Fri Feb 25, 2011 10:33 am Post subject: RE:Using php to generate an image |
|
|
Fair point. Then again, though, is this poll worth the effort of mailing everyone in the school a key and dealing with the associated extra complexity? |
|
|
|
|
|
Dan
|
Posted: Fri Feb 25, 2011 11:00 am Post subject: Re: RE:Using php to generate an image |
|
|
DemonWasp @ 25th February 2011, 10:33 am wrote: Fair point. Then again, though, is this poll worth the effort of mailing everyone in the school a key and dealing with the associated extra complexity?
Well it depedns on how imporantant the poll is. If all the students have the same kind of e-mail, such as _somthing_@victoriaparkci.com he could have them create a poll acount which only allows acounts to be created with a valid @victoriaparkci.com e-mail (with an activation e-mail). My method was more for a one time poll, an account would be better if their will be many polls.
Looking at the link ProgrammingFun posted, it seems that this is for some kind of student forum? If thats the case why not tie it into the fourms accounts? |
Computer Science Canada
Help with programming in C, C++, Java, PHP, Ruby, Turing, VB and more! |
|
|
|
|
ProgrammingFun
|
Posted: Fri Feb 25, 2011 1:15 pm Post subject: Re: RE:Using php to generate an image |
|
|
Dan @ Fri Feb 25, 2011 11:00 am wrote: Looking at the link ProgrammingFun posted, it seems that this is for some kind of student forum? If thats the case why not tie it into the fourms accounts?
That is exactly what I was about to ask next! Is there any way that I can use the forum accounts to login into the poll for the user to vote (without compromising the forum database)? That way, would I be able to make a browser session with that login so to revote, they would have to login again?
This is not actually a very important poll, it is designed as a promotion campaign for the forum...I guess you could call it important (in a way) |
|
|
|
|
|
ProgrammingFun
|
Posted: Sun Mar 06, 2011 5:17 pm Post subject: RE:Using php to generate an image |
|
|
The final poll is being launched this week...we tried to fix the script problem by adding sessions (and something else )...
Please test it here: http://forum.victoriaparkci.com/v1/playlist/
...and tell me what you think (+ any remaining bugs and errors)
Thanks! |
|
|
|
|
|
Tony
|
Posted: Sun Mar 06, 2011 5:44 pm Post subject: Re: RE:Using php to generate an image |
|
|
ProgrammingFun @ Sun Mar 06, 2011 5:17 pm wrote: we tried to fix the script problem by adding sessions (and something else )...
clearing cookies still works for multiple votes. |
Tony's programming blog. DWITE - a programming contest. |
|
|
|
|
ProgrammingFun
|
Posted: Sun Mar 06, 2011 6:55 pm Post subject: RE:Using php to generate an image |
|
|
Yes...but is there a script that can do that? I hope not... |
|
|
|
|
|
|
|