Thread: Error when rating download reviews
View Single Post
Torkell

Stealth Admin

Joined: Jul 2004

Posts: 2,153

Torkell is a forum legendTorkell is a forum legendTorkell is a forum legend

Feb 27, 2007, 09:21 AM
Torkell is offline
Reply With Quote
Thinking about it, md5'ing the ip (plus some magic number) would work quite well. Include that in a hidden field (or in the generated URL), and simply check that it's correct when the user submits the page. That prevents anyone being tricked into going straight to the submitReview.php or helpful.php page. Something along the lines of
Code:
$hash = hex(md5($_SERVER['REMOTE_ADDR'] . "super-sekrit-tek"));
$url = $url . "&check=" . $hash

...

$hash = hex(md5($_SERVER['REMOTE_ADDR'] . "super-sekrit-tek"));
if ($_GET['check'] != $hash)
{
    print ("Lame vote hacker detected");
    exit();
}
should work. It doesn't matter what you append to the ip as long as your code knows to check for it - the point of that is to stop someone else writing a script to generate the links (which they could if it was an md5 of just the ip address). Hardcoding a string works fine.

It should make it impossible for someone to trick someone else into voting for a review, but it won't stop anyone who decides to simulate a bot clicking on the link lots of times (that's what IP bans are for


Oh, while I was looking I think I spotted an error in your HTML: on downloads/info.php, I couldn't see a closing FORM tag for the review form.
__________________
-- Torkell