Help!

Email Verification For Php Forms?

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Web Developers RSS
Next:  Sound Only Via Cdrw  
Author Message
shadow0324



Joined: Jan 06, 2003
Posts: 17
PostPosted: Fri Aug 19, 2005 11:15 pm    Post subject:
I'm working on developing a rather simple Web-based voting program for my school's upcoming Homecoming. The best I can come up with is to accept the voter's email address and send a verification link to that email address:

- User votes for 'x' and gives email address 'y'
- Table 'votequeue' stores vote 'x', email 'y', and random string 'z'
- PHP sends email to 'y' with link to a script including 'z' as a parameter
- Verification script checks 'z' and 'y' against 'votequeue'
- If match, write 'y' to 'voted' (to prevent duplicate voting) and increment votes for 'x' on 'ballot'

Our university has a protocol to accept school-issued usernames and passwords, but this isn't available on the database server we're using. Any feedback on the efficacy of the above-described method (and any suggestions on better ways to handle this sort of thing) would be much appreciated!
Back to top
all_trades_jack



Joined: Aug 25, 2005
Posts: 1
PostPosted: Thu Aug 25, 2005 12:28 pm    Post subject:
Maybe it's just my sick mind, but the first thing I thought of was free e-mail accounts. If someone wanted to "game" your system, it looks like sending in multiple votes from multiple e-mail accounts (hotmail, gmail, work, home...) could do it pretty easily. Heck... We've all got four or five, right?

Along those same lines, someone could pretty easily write a PHP script to overwrite the "FROM" field and send in a bunch of votes with random addresses from a domain they control, and all of your "verifications" could automatically forward to their same inbox.

I don't know how bulletproof your vote results need to be ("pizza preferences for lunch" or "leader of the free world") but you might think about checking multiple bits of information looking for duplicate votes. Only allowing one vote from a particular IP address might help, for example.

In general, I'd guess that if you do:

1. multiple checks (e-mail, username, IP, manual verification of each vote, etc.)
2. server-side (so they don't check out your code)

...and then NOT announce the way you'll be checking (don't give someone a roadmap for circumventing your system) you should be in pretty good shape. Few people will spend more than a minute or two trying to stuff the ballot box.

...especially if the vote includes the humanities, music, education, and political science students, who will have no idea what any of this gibberish means anyway. Wink
Back to top
mrcheezy



Joined: Aug 25, 2005
Posts: 1
PostPosted: Thu Aug 25, 2005 3:30 pm    Post subject:
Why not use curl or fsockopen to test their username and password against the real server. (Ie. emulate a web browser logging in and if it works, hurrah!). Save an md5sum of the user as a unique vote user Id, save their vote, and don't save their password. No way they (or you) can beat that I don't think?

Adam.
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Web Developers All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum