RE: [PHP] vote package
From: Noel Butler On Fri, 2009-08-28 at 08:33 -0400, Bob McConnell wrote: Forging IP addresses is actually quite simple. VMs do it all the time when bridged to the real NIC. There are also some projects on Source Forge designed to load test HTTP servers that do similar things. I have an application I wrote for testing that can emulate an entire class B subnet full of computers. All it takes is a little digging around on Google, a FreeBSD system installed in a VM and a little knowledge of the local network topology. In my case I have several blocks of addresses allocated by the local administrator for this test bed. sorry if this explodes your bubble, but you dont need freebsd to do it :) Yes, I know. I only mentioned FreeBSD because I have actually used it. It was already available in a VM because I was playing with DummyNet for another test bed project. But I haven't tried similar tasks on Linux yet. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] vote package
From: Ben Dunlap You might try to use the reported IP of the submitter, again unique, but that can be forged -- so again anyone can vote more than once. Can you say more about forging the reported IP? I've always been under the impression that forging the source IP in a TCP session is a pretty sophisticated operation, but maybe I'm mistaken about that. Forging IP addresses is actually quite simple. VMs do it all the time when bridged to the real NIC. There are also some projects on Source Forge designed to load test HTTP servers that do similar things. I have an application I wrote for testing that can emulate an entire class B subnet full of computers. All it takes is a little digging around on Google, a FreeBSD system installed in a VM and a little knowledge of the local network topology. In my case I have several blocks of addresses allocated by the local administrator for this test bed. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] vote package
On Fri, 2009-08-28 at 08:33 -0400, Bob McConnell wrote: Forging IP addresses is actually quite simple. VMs do it all the time when bridged to the real NIC. There are also some projects on Source Forge designed to load test HTTP servers that do similar things. I have an application I wrote for testing that can emulate an entire class B subnet full of computers. All it takes is a little digging around on Google, a FreeBSD system installed in a VM and a little knowledge of the local network topology. In my case I have several blocks of addresses allocated by the local administrator for this test bed. Bob McConnell sorry if this explodes your bubble, but you dont need freebsd to do it :)
Re: [PHP] vote package
At 9:52 PM +1000 8/27/09, Noel Butler wrote: Hi All, Can someone suggest a reputable vote script in php that uses mysql, doesnt need to be fancy, just have a decent reputation for not being exloited :) also tracking of users via IP to prevent ghost voting...WE are using php 5.3.0, the old one fails under that, adn it had known issues so we dumped it... TIA Noel: I think you'll run into exploitation problems regardless. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] vote package
At 7:18 AM +1000 8/28/09, Noel Butler wrote: On Thu, 2009-08-27 at 10:55 -0400, tedd wrote: I think you'll run into exploitation problems regardless. I'm getting that impression from the hours and hours I wasted yesterday prior to my post trying to find a good one :( There's not going to be a system that blocks people from voting more than once UNLESS you require each person to register via a unique id, If that's the case, then you can collect valid one-person votes. However, the net is not going to provide you with an unique ID. You can use an email address, which is unique, but anyone can have any number of email addresses and vote for each one. You might try to use the reported IP of the submitter, again unique, but that can be forged -- so again anyone can vote more than once. If the votes are not important, then you can get a fair estimate by using something like this: http://php1.net/b/flash-poll/ However, if the vote is important (one person/one vote), then unfortunately there is no way to guarantee a one-person/one-vote system by using just the net. You must have someway to specifically identify the person voting, such as a driver license #, ss#, visa, or something you mailed them -- you can't rely on anything from the net. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] vote package
You might try to use the reported IP of the submitter, again unique, but that can be forged -- so again anyone can vote more than once. Can you say more about forging the reported IP? I've always been under the impression that forging the source IP in a TCP session is a pretty sophisticated operation, but maybe I'm mistaken about that. Of course source IP isn't a reliable unique-ID, for the opposite reason also: forward proxies, NAT, etc., make it pretty likely that several users will come to the site from the same IP. So you'd end up incorrectly refusing legitimate votes. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php