Next, we’ll examine vote.php. Vote.php has two states: one when a user clicks on a link to vote for a song and one when they have submitted an email address and posted the form. In the first state, Vote.php has one parameter passed to it: the band’s id. The first chunk of code checks that the band’s ID is passed to the script. If it is, the script goes to the database and grabs the name of the band and the name of the song.
//Check if the band’s ID is sent as a parameter
if (isset($_GET["profile"])) {
//Select the database
mysql_select_db($database, $db);
//escape parameters to avoid tampering
$ID = (get_magic_quotes_gpc()) ? $_GET['profile'] : addslashes($_GET['profile']);
//select the band’s name and song name from the database
$query_tracks = sprintf("SELECT t1.track, t2.band FROM songs as t1, bands as t2 WHERE t1.CCID = %s and t2.CCID=%s", $ID, $ID);
$tracks = @mysql_query($query_tracks, $db);
$row_tracks = @mysql_fetch_assoc($tracks);
}
The second state of the script is more involved. When the form is posted, it checks for two conditions: that the same address hasn’t been used to vote for that song that day and that the same computer hasn’t been used to vote for that song that day. If both test pass, then an email is sent to the address for the user to click for verification.
//Check that the form has been posted.
if ((isset($_POST["insert"])) && ($_POST["insert"] == "form1")) {
//select the database
mysql_select_db($database, $db);
//get today’s month and day
$date = date("md");
//initialize variables that were posted from the form
$email = (get_magic_quotes_gpc()) ? $_POST['email'] : addslashes($_POST['email']);
$song = (get_magic_quotes_gpc()) ? $_POST['song'] : addslashes($_POST['song']);
$ID = (get_magic_quotes_gpc()) ? $_POST['bandID'] : addslashes($_POST['bandID']);
//Setup data for test #1. Has the same email been used today to vote for this song?
$query_Votes = sprintf("SELECT time FROM votes WHERE email = %s AND bandID = %s ORDER BY time DESC", GetSQLValueString($email, "text"),
GetSQLValueString($ID, "int"));
$Votes = @mysql_query($query_Votes, $db);
$row_Votes = @mysql_fetch_array($Votes);
$current_time = $row_Votes['time'];
$month2 = substr($current_time, 4, 2);
$day2 = substr($current_time, 6, 2);
$date2 = $month2.$day2;
//Setup data for test#2. Has the same computer been used today to vote for this song?
$query_Votes = sprintf("SELECT time FROM votes WHERE IP = %s AND bandID = %s ORDER BY time DESC", GetSQLValueString($_SERVER['REMOTE_ADDR'], "text"), GetSQLValueString($ID, "int"));
$Votes = @mysql_query($query_Votes, $db);
$row_Votes = @mysql_fetch_array($Votes);
$current_time = $row_Votes['time'];
$month3 = substr($current_time, 4, 2);
$day3 = substr($current_time, 6, 2);
$date3 = $month3.$day3;
//Does the vote pass both test? If so, insert the vote into the database.
if ( ($date > $date2) && ($date > $date3) ) {
$insertSQL = sprintf("INSERT INTO votes (email, pending, song, bandID, IP) VALUES (%s, %s, %s, %s, %s)",
GetSQLValueString($email, "text"),
GetSQLValueString('0', "int"),
GetSQLValueString($song, "text"),
GetSQLValueString($ID, "int"), GetSQLValueString(strip_tags($_SERVER['REMOTE_ADDR']), "text"));
$Result1 = mysql_query($insertSQL, $db);
//retrieve the ID of the vote
$id = mysql_insert_id();
//Get the time it was entered
$selectSQL = sprintf("SELECT time FROM votes where id = %s", GetSQLValueString($id, "int"));
$Result2 = mysql_query($selectSQL, $db);
$row_Time = @mysql_fetch_array($Result2);
//Send an email for use for verification using the timestamp as a key
mailPending($_POST['email'], $_POST['bandID'], $row_Time['time']);
$'message = "Thanks for your vote. Come back tomorrow, vote again and keep listening to your favorite bands on United Bands.";
}
//If the vote doesn’t pass the test notify the user that they have to wait until tomorrow.
else {
$message = "You have to wait until tomorrow to vote again for this song. You can vote for other songs you haven't voted for today.";
}
}
//Mails the voter a verification email.
function mailPending($to, $bandID, $time) {
$message .='Thanks for voting. Please click this link to verify your vote. http://unitedbands.com/verify.php?band='.$bandID.'&time='.$time.'&email='.$to;
$subject = "Thanks for Voting at UnitedBands.com";
$mailResult=send_email($to, $subject, $message);
}
/ 143 
