0

I am working on a voting system and I am stuck at making sure someone can only vote once. I looked at storing IPs but I read that places like universities use few IPs so if one person votes, most of the university is locked out of voting. Currently I use cookies, which is nice until people realize I am using cookies. It then becomes easy for them to delete the cookie and vote again. Is there any reliable way to store a user's vote and ensure that they cannot vote again? This is my current voting script:

<?php
include("config.php");

//Checks URL for any GET variables and removes them.
$url = $_POST['url'];
$arr = explode("?", $url, 2);
$url = $arr[0];


//Makes sure someone didn't just go to /vote.php.
if (empty($_POST['url'])) {
    print '<script>window.location = "errorpage";</script>';
} else {

//Gets unique ID number for specific match up.
$idnumber = $_POST['id'];

//Checks to see if there is a cookie by the name of the unique matchup ID.
if (!empty($_COOKIE[$idnumber])) {

    //If voted, go back and display already voted error.    
    print '<script> window.location = "'.$url.'?error=voted";</script>';

} else {

    //If user doesn't have the cookie, then set it to expire in 1 year. 
    setcookie("$idnumber", "1", strtotime( '+1 year' ));

//Sets variable for a_vote or b_vote.
$voteRow = $_POST['hiddenvote'];

//Array of allowed values for column name.
$allowed = array("a_vote","b_vote");

//If $voteRow is not a_vote or b_vote, then go to error page.
if(!in_array($voteRow, $allowed)) {
    print '<script>window.location = "errorpage";</script>';
} else {

    //Gets current votes and adds one for new value. 
    foreach($db->query("SELECT $voteRow FROM votes WHERE matchup = '$idnumber'") as $row) {
                $votes = $row[$voteRow];
             }  

             $newvotes = $votes + 1;

//Update query to send new vote amount.
$sql = "UPDATE `votes` SET $voteRow = :newvotes WHERE `matchup` = :id";
 $statement = $db->prepare($sql);
 $statement->bindValue(":newvotes", $newvotes);
 $statement->bindValue(":id", $idnumber);
 $count = $statement->execute();
 $db = null;

//Go to vote success page.
print '<script type="text/javascript">window.location = "'.$url.'?vote=success";</script>'; 
}
}
}
?>
user1895377
  • 201
  • 1
  • 3
  • 16
  • Your reliability is limited by how reliably you can identify the user. If they register - fine. If not - you need somehow define an ID yourself. – Stoleg Apr 28 '14 at 15:00
  • 2
    Read this article please - http://stackoverflow.com/questions/15966812/user-recognition-without-cookies-or-local-storage/16120977#16120977 – Ziumin Apr 28 '14 at 15:10
  • No, there isn't a reliable way, unless you can enforce a registration system that uniquely identifies people (and I mean people, not even emails) and you possibly can't. For instance, when I submit my tax report I have a digital cert with my official ID Number issued by the National Police. – Álvaro González Apr 28 '14 at 15:58

0 Answers0