Home arrow PHP arrow Page 3 - Creating a Fraud-proof Voting System

One Vote.php, Two States - PHP

Setting up polls or voting systems is a great way to get users more involved in your website, and keep them coming back for more. But with fraud hanging over the professional political elections, how do you keep your visitors from screaming for a recount--or worse, stuffing the ballot box? Ian Felton describes a simple system for setting up an online poll and preventing abuses.

  1. Creating a Fraud-proof Voting System
  2. One Person, Multiple Addresses, Still One Vote
  3. One Vote.php, Two States
  4. Trust but Verify
By: Ian Felton
Rating: starstarstarstarstar / 143
December 21, 2004

print this article



Next, weíll examine vote.php. Vote.php has two states: one when a user clicks on a link to vote for a song and one when they have submitted an email address and posted the form. In the first state, Vote.php has one parameter passed to it: the bandís id. The first chunk of code checks that the bandís ID is passed to the script. If it is, the script goes to the database and grabs the name of the band and the name of the song.

//Check if the bandís ID is sent as a parameter
if (isset($_GET["profile"])) {
//Select the database
mysql_select_db($database, $db);
//escape parameters to avoid tampering
$ID = (get_magic_quotes_gpc()) ? $_GET['profile'] : addslashes($_GET['profile']);

//select the bandís name and song name from the database
$query_tracks = sprintf("SELECT t1.track, t2.band FROM songs as t1, bands as t2 WHERE t1.CCID = %s and t2.CCID=%s", $ID, $ID);
$tracks = @mysql_query($query_tracks, $db);
$row_tracks = @mysql_fetch_assoc($tracks);

The second state of the script is more involved. When the form is posted, it checks for two conditions: that the same address hasnít been used to vote for that song that day and that the same computer hasnít been used to vote for that song that day. If both test pass, then an email is sent to the address for the user to click for verification.

//Check that the form has been posted.
if ((isset($_POST["insert"])) && ($_POST["insert"] == "form1")) {
//select the database
mysql_select_db($database, $db);
//get todayís month and day
$date = date("md");
//initialize variables that were posted from the form
$email = (get_magic_quotes_gpc()) ? $_POST['email'] : addslashes($_POST['email']);
$song = (get_magic_quotes_gpc()) ? $_POST['song'] : addslashes($_POST['song']);
$ID = (get_magic_quotes_gpc()) ? $_POST['bandID'] : addslashes($_POST['bandID']);
//Setup data for test #1. Has the same email been used today to vote for this song?
$query_Votes = sprintf("SELECT time FROM votes WHERE email = %s AND bandID = %s ORDER BY time DESC", GetSQLValueString($email, "text"),
GetSQLValueString($ID, "int"));
$Votes = @mysql_query($query_Votes, $db);
$row_Votes = @mysql_fetch_array($Votes);
$current_time = $row_Votes['time'];
$month2 = substr($current_time, 4, 2);
$day2 = substr($current_time, 6, 2);
$date2 = $month2.$day2;
//Setup data for test#2. Has the same computer been used today to vote for this song?
$query_Votes = sprintf("SELECT time FROM votes WHERE IP = %s AND bandID = %s ORDER BY time DESC", GetSQLValueString($_SERVER['REMOTE_ADDR'], "text"), GetSQLValueString($ID, "int"));
$Votes = @mysql_query($query_Votes, $db);
$row_Votes = @mysql_fetch_array($Votes);
$current_time = $row_Votes['time'];
$month3 = substr($current_time, 4, 2);
$day3 = substr($current_time, 6, 2);
$date3 = $month3.$day3;

//Does the vote pass both test? If so, insert the vote into the database.
if ( ($date > $date2) && ($date > $date3) ) {
$insertSQL = sprintf("INSERT INTO votes (email, pending, song, bandID, IP) VALUES (%s, %s, %s, %s, %s)",
GetSQLValueString($email, "text"),
GetSQLValueString('0', "int"),
GetSQLValueString($song, "text"),
GetSQLValueString($ID, "int"), GetSQLValueString(strip_tags($_SERVER['REMOTE_ADDR']), "text"));
$Result1 = mysql_query($insertSQL, $db);
//retrieve the ID of the vote
$id = mysql_insert_id();
//Get the time it was entered
$selectSQL = sprintf("SELECT time FROM votes where id = %s", GetSQLValueString($id, "int"));
$Result2 = mysql_query($selectSQL, $db);
$row_Time = @mysql_fetch_array($Result2);

//Send an email for use for verification using the timestamp as a key
mailPending($_POST['email'], $_POST['bandID'], $row_Time['time']);
$'message = "Thanks for your vote. Come back tomorrow, vote again and keep listening to your favorite bands on United Bands.";
//If the vote doesnít pass the test notify the user that they have to wait until tomorrow.
else {
$message = "You have to wait until tomorrow to vote again for this song. You can vote for other songs you haven't voted for today.";
//Mails the voter a verification email.
function mailPending($to, $bandID, $time) {
$message .='Thanks for voting. Please click this link to verify your vote. http://unitedbands.com/verify.php?band='.$bandID.'&time='.$time.'&email='.$to;
$subject = "Thanks for Voting at UnitedBands.com";
$mailResult=send_email($to, $subject, $message);

>>> More PHP Articles          >>> More By Ian Felton

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: