tags:

views:

994

answers:

2
+1  Q: 

JQuery Ajax Voting

I am using this JQuery Ajax Voting system guide as a rough reference but I am a little troubled at the security of this. Right now this guide basically stores the ID of something and the vote statistics for it.

I'd like to go off a similar idea but I need to include the userID as well so a user can only vote once. This is stored in a PHP session variable and I was wondering if the ajax page that gets called will have access to that session or not. If not, what is a safe way of passing in the parameter so it can't be hijacked by a man in the middle attack or faked.

+2  A: 

The server will have access to the session data through the AJAX call as long as you do session_start(); at the top of your script. You should also make sure you sanitize your data, as I see that tutorial is doing queries without passing the data through mysql_real_escape_string. You should also do UNIQUE KEY(user_id, id) on the votes table to ensure there's no dupes.

Paolo Bergantino  2009-05-13 23:24:37
I am actually using PDO instead of the mysql library so I shall be using parameterized queries. Also, I do have a composite key set on (user_id, id) which is also unique. I think that should cover it, right?
Joe Philllips  2009-05-13 23:31:24
Yup. You're good to go.
Paolo Bergantino  2009-05-13 23:41:25
+1  A: 

You should be able to pull the same Session variable from the handler that actually stores the user vote.

As a basic security measure you could encrpyt the UserId on the page with the voting before the AJAX call and decrypt the UserId when doing the insert if it's not available in the session.

hunter  2009-05-13 23:25:31

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases