help.....Please!

Anon

I am very new to php. I have been writing a vote program for a website I work on. Here's the url

http://www.tfmatrix.com/stormrider/vote/gobot/vote.htm

Well I posted this form on our private board for error testing. One of the guys on there was able to add stuff into my table on view votes totals page.

He said while he was on the 2nd page,

http://www.tfmatrix.com/stormrider/vote/gobot/gbaddvote.php

that he simply added ?vote=tester

onto the end of that url to add that into the table.

My question is this how do I prevent him from doing this?!?!?!?

Here is the code I have for this page.

<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#006666" link="#FFFFFF">
<?

$vote=
if ($vote == "") {
$vote_err = "<font color=white size=5><center><b>You did not enter a Selection. Please return to the vote form and try again.</b></center></font><br>";
$send = "no";
}

if ($send != "no") {

$db_name="dbname";
$table_name="tablename";

$connection = mysql_connect("localhost", "dbname", "password") or
die("Couldn't connect.");

$db= mysql_select_db($db_name, $connection) or die ("Couldn't Select database.");

$sql = "
insert into $table_name
(vote)
values
(\"$vote\")
";

$result= mysql_query($sql, $connection) or die ("Couldn't execute query.");

echo "<div align=\"center\">
<p><font size=\"6\" color=\"#CCCC00\">Your vote for $vote </font></p>
<p><font size=\"6\" color=\"#CCCC00\">has been recorded.</font></p>";

} else if ($send == "no") {

echo "$vote_err";
echo "<a href=\"vote.htm\"><font color=white size=5><center><b>Back to Vote Form</b></center></font></a>";

}

<p> </p>
<p> </p>
<table width="75%" border="0" align="center">
<tr>
<td>
<div align="center"><font color="#CCCC00"><b><font color="#FFFFFF"><a href="http://www.transfandom.com">Return
to home page</a></font></b></font></div>
</td>
<td>
<div align="center"><font color="#CCCC00"><b><font color="#FFFFFF"><a href="viewgbtots.php">View
vote totals</a></font></b></font></div>
</td>
</tr>
</table>
<p> </p>

</body>

Can anyone help me?

--stormie

nashirak

You could do something like read the query string or something simple like check and make sure that it was a POST method before doing anything.

if($REQUEST_METHOD != "POST") {

echo "Hacker!!!!";
}
else {
// do the rest

brandonschnell

and any decent hacker will just create their own custom page and do a POST from that.

1) use addslashes() around anything placed in a database from a user.

2) use an UPDATE table SET col=col+1 WHERE vote = '$vote' . otherwise if you do use the INSERT use a SELECT count(col) FROM table WHERE vote = 'valid vote option' to only count valid votes.

3) set a cookie on the clients computer to avoid counting votes multiple times. any such vote system will not 100% accurate by any stretch of the imagination.

Anon

You should use:
if ($HTTP_POST_VARS['vote'] || $HTTP_GET_VARS['vote']){
mail("yourmail@yourdomain","Attempting to hack your site!!!",$HTTP_SERVER_VARS['REMOTE_ADDR']);
}else{
//Fine. Do something here...

}

vsego

And decent hacker will easily remove the cookie. :-)

4) Check $HTTP_REFERER to be sure that POST request came from your own form. Not that this isn't hackable, but makes it a bit more complicated at least for hacking beginners.

Anon

Thanks for all of your help! You guys rock.

I worked hard to get this program done and to have a 16 yr old hack it and show me up was bruising to my ego. Thank you for giving me the tools to save face and show him that this fem is a force to be reckin' with!

brandonschnell

hence the comment:

"any such vote system will not 100% accurate by any stretch of the imagination. "

$HTTP_REFERER isn't supported by all browsers.

the more complicated the voting system becomes the more likely it'll piss off the users. its all about striking a balance between useablity and "hackability".

vsego

Solution, of course, depends on targeted audience (i.e. is it company network).

"$HTTP_REFERER isn't supported by all browsers." - didn't know that. Which ones?

brandonschnell

from the php manual:

$HTTP_REFERER
The address of the page (if any) which referred the browser to the current page. This is set by the user's browser; not all browsers will set this.

aol browsers seem to be the worst from what i've read. haven't really experimented with the $HTTP_REFERER var myself after realizing that it was next to useless. any decent hacker should be able to spoof a $HTTP_REFERER with telnet and a couple of minutes.