Another consdieration with using files written to disk automatically. if there's any chance that the user could get some arbitrary value written to disk, then access the file thru the web-browser, it's a HUGE security risk.
aside from all the file-locking and mucking about with permissions and maintaining the filesystem that Miguel mentioned. --- Scott Hurring Systems Programmer EAC Corporation [EMAIL PROTECTED] Voice: 201-462-2149 Fax: 201-288-1515 > -----Original Message----- > From: Jason Soza [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 3:26 PM > To: Miguel Cruz > Cc: PHP-General > Subject: Re: [PHP] voting using text files > > > And this is why I'm not an expert! > > I have a counter script on my page now that uses a flatfile to store > IP's, but it also stores a timestamp. When someone visits the > page, the > current time is compared to the stored timestamp for that IP > + whatever > timeout period I set. If it's less, then that IP is not > counted again. > If it's more, than the previous entry is deleted and a new > one written > with a new timestamp. I have it set for 15 minutes just to > keep people > from sitting and hitting 'reload' to run up my counter. > > Anyway, I figured the same type of thing could be used here, I just > didn't explain it. Seems that someone else came up with a simpler > solution anyhow! > > Thanks for pointing out my idea's flaws... I'm a little biased, so I > don't always see them myself. > > Jason Soza > > ----- Original Message ----- > From: Miguel Cruz <[EMAIL PROTECTED]> > Date: Wednesday, May 22, 2002 9:45 am > Subject: Re: [PHP] voting using text files > > > On Wed, 22 May 2002, Jason Soza wrote: > > > Using file locking, if two people tried to use the script at the > > same > > > time, wouldn't there be an error for one of them? > > > > The second session would just have to wait for the first to finish > > (which > > should be an infinitessimal amount of time). > > > > > My first guess at defeating this is having the script write a > > file named > > > after the voter's IP. Have the file written to a different > > directory for > > > whatever choices they have, then use readdir() to count the > > files in > > > each directory, i.e. the number of votes for each choice. Then > > if that > > > same IP tries to vote again, check it against votes already > > received and > > > approve/deny it. > > > > Using IPs is a pretty lousy way of uniquely identifying users, > > especially > > for a purpose like this: > > > > 1. If I dial in with a modem, I probably get a new IP each time I > > connect, > > so I can vote as often as I like. > > > > 2. Many companies, ISPs, and even countries use proxy servers that > > aggregate thousands or millions of users behind a handful of IP > > addresses. > > One vote from China, Saudi Arabia or New Zealand and that could be > > it for > > the country. Likewise AOL. > > > > Try cookies or something. Still can be defeated by the determined > > ballot-box stuffer, but so can everything else that doesn't > > require human > > verification of identity. > > > > miguel > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
