Making a Poll using MYSQL help

[vinnieza]

Hey, i'm trying to make a poll which uses a mysql database (i don't even know if it's possible as i decided to do it as a challenge so it can help me learn php). Anyway i have finnished the basics part and now when you vote it stores your ip and the option you voted for in the database. Anyway now my next challenge is to make it so that people with the same ip can only vote once and haven't got a clue how i can go about doing this.

So my question, how can i search the mysql table for the ip address? For example the table is:

voting

option:-------ipaddress:
B------------1111.111.11
A------------1212.121.41

So is there a sql query i can use to see if there is an ipaddress 4912.121.49

Then i was thinking of doing:

$result="mysql_query($ipcheck)";

if ($result==true or $ip or somthing?)
echo "sorry you can only vote once"

else

mysql_query($query);

Well somthing along thoes lines. Not even sure if that is right or if you can do that.

Anyway any help will be appreciated. Thanks

NB: White Italics means comment (not in code)

[vinnieza]

Tnaks to chris i've done it now . Thanks chris

Code: Select all

$ipckq="SELECT ipaddress FROM voting WHERE ipaddress = '$ip'";
$result=mysql_query($ipckq);
$ipckn=mysql_num_rows($result);
if($ipckn!=0)
{
echo "Sorry you can only vote once";
}
else
{
mysql_query($query);
}

My next challenege, is to display the results

[vinnieza]

Yay done

http://www.members.lycos.co.uk/b4c/vote/index.php

Sorry about the colours and lack of presentation. I did it really quickly but now i have the script for it

Now somone could easily bypass the ip lock out if they used a proxy or had a dial up or if they changed their ip manually, but to solve that issue i'd expect you could use a member login.

Edit: and i've just made a basic logon page, and i just tried using the SQL injection

Code: Select all

' or 1=1--

and it didn't bypass it

Now to find away on how to do things when you're logged on

[fac51]

nice work with the sql injection testing

[vinnieza]

Ok here's the finnished verson:

http://members.lycos.co.uk/b4c/combinationvz/index.php

There's probably loads of explots . If you find one tell me

I just thought, on the results page if the percentage is a recuring number it's going to post loads of numbers. How can i stop that, or is it rounded to a certain dp automatically?

[fac51]

dunno and try doing some of the basic tests on this hackers wargames site. teaches you how to protect yourself from all forms of exploits by showing you how they're done. good fun doing them too


http://www.hackthissite.org/

the forum is full of kids though so probably best to avoid it

[vinnieza]

I'm registered on that site under kolicha, that's where i picked up that sql injection from (before i went there i never knew anything about it)

Ignore my points, i was using sk tatics as i didn't have a clue where to start. I'll probably start again during my holiday and learn more about it. However, i understood how things worked.

Edit: Fixed

Now it also checks to see if the member has posted before and if they have it stops them from voting; so if the user is on dialup and logs on with anthoer ip it still stops them. Nothing stopping them from registering with a different ip and voting again though.

[Chris]

Ok here's the finnished verson:

http://members.lycos.co.uk/b4c/combinationvz/index.php

There's probably loads of explots . If you find one tell me

I just thought, on the results page if the percentage is a recuring number it's going to post loads of numbers. How can i stop that, or is it rounded to a certain dp automatically?

$newnumber = number_format($number,2);

That makes it 2 decimal places. etc

[vinnieza]

Thanks chris, they're now rounded to 2dp

Edit: Passwords are now encrypted thanks to chris , he's a genious