Vote System

Vote System 15 years 4 months ago #4933

James Topic Author Offline Fresh Boarder Posts: 8 Thank you received: 0	Why are votes stored based on IP and not the logged in user!? This is not secure. Anyway to work around this? (Hack method? ) Check this box to be notified of replies to this topic. Note: BBcode and smileys are still usable.

Vote System 15 years 4 months ago #4935

Daniel Dimitrov Offline Administrator Posts: 9618 Karma: 155 Thank you received: 1081	Why? Because joomlacomment was written initially for mambo from developers that I don't know So that is why I don't know why they choosed to use IP instead of user names. An improvement on the rating system is planned for 4.1 . Up untill then there is no hack, nothing Check this box to be notified of replies to this topic. Note: BBcode and smileys are still usable.

Vote System 15 years 4 months ago #4952

JonusC
Offline
Platinum Boarder
Posts: 785
Thank you received: 48

James wrote:

Why are votes stored based on IP and not the logged in user!? This is not secure. Anyway to work around this? (Hack method? )

The IP is stored? Are you sure? I thought this was not implemented. I can continually vote over and over again, it doesn't stop me. Is something broken on my site?

Vote System 15 years 4 months ago #4954

James
Topic Author
Offline
Fresh Boarder
Posts: 8
Thank you received: 0

^ Yes.

Here is my "fix" for basing this on logged-in users:

File: componentscom_commentjos_commentcomment.class.php

// MySQL Update Required:
	//	 "ALTER TABLE `vpo_comment_voting` ADD `user_id` INT( 11 ) NOT NULL DEFAULT '0' AFTER `id` "
    //   (note: make sure to replace "jos_" if it is different on your system)
	function voting($item, $mode)
    {
		$database =& JFactory::getDBO();
		$user = JFactory::getUser(); // (added)
		$user_id = $user->id; // (added)
 
        $t = time()-3 * 86400; // (note: guest comments removed after 3 days)
        $database->SetQuery("DELETE FROM jos_comment_voting WHERE time<'$t' AND user_id=0"); // (updated: don't remove member votes)
        $database->Query();
		if ($user->guest)
			$database->SetQuery("SELECT COUNT(*) FROM jos_comment_voting WHERE id='" . $item['id'] . "' AND ip='" . $_SERVER['REMOTE_ADDR'] . "'");
		else
			$database->SetQuery("SELECT COUNT(*) FROM jos_comment_voting WHERE id='" . $item['id'] . "' AND user_id='" . $user_id . "'");
        $exists = $database->loadResult();
        if (!$exists) {
            $item["voting_$mode"]++;
            $database->SetQuery("
			UPDATE jos_comment SET
        	voting_$mode='" . $item["voting_$mode"] . "'
        	WHERE id=$this->_comment_id");
            $database->Query() or die('Database error: voting(1)!');
            $database->SetQuery("INSERT INTO jos_comment_voting(id,user_id,ip,time)
    		VALUES(
			'" . $item['id'] . "',
			'" . $user_id . "',
			'" . $_SERVER['REMOTE_ADDR'] . "',
      		'" . time() . "')");
            $database->Query() or die("Database error: voting(2)!");
        }
       	$header = 'Content-Type: text/xml; charset=utf-8'; //.$this->_local_charset;
		header($header);
        $xml = '<?xml version="1.0" standalone="yes"?><voting><id>' . $item['id'] . '</id><yes>' . $item["voting_yes"] . '</yes><no>' . $item["voting_no"] . '</no></voting>';
		$this->_comObject->cleanComponentCache();
        exit($xml);
    }

Vote System 15 years 4 months ago #4958

JonusC
Offline
Platinum Boarder
Posts: 785
Thank you received: 48

James wrote:

^ Yes.

OK, it's been fixed in Beta 1 haha - shame on me for not checking that.

Here is my "fix" for basing this on logged-in users:
{Bunch of crazy code that looks fancy

Kind sir, please do present your feet so that I may kiss them?

You are a MACHINE! Wow... i'll be working on merging this with the experimental branch to try it out!

Vote System 15 years 4 months ago #4959

James Topic Author Offline Fresh Boarder Posts: 8 Thank you received: 0	Sorry, all I have are a bunch of faces. Check this box to be notified of replies to this topic. Note: BBcode and smileys are still usable.

Vote System 15 years 4 months ago #4961

James
Topic Author
Offline
Fresh Boarder
Posts: 8
Thank you received: 0

Method update: Prevent members from voting on their own comments:

// MySQL Update Required:
	//	 "ALTER TABLE `vpo_comment_voting` ADD `user_id` INT( 11 ) NOT NULL DEFAULT '0' AFTER `id` "
    //   (note: make sure to replace "jos_" if it is different on your system)
	function voting($item, $mode)
    {
		$database =& JFactory::getDBO();
		$user = JFactory::getUser(); // (added)
		$user_id = $user->id; // (added)
 
		if ($user->guest || $item['userid'] != $user_id)
		{
			$t = time()-3 * 86400; // (note: guest comments removed after 3 days)
			$database->SetQuery("DELETE FROM jos_comment_voting WHERE time<'$t' AND user_id=0"); // (updated: don't remove member votes)
			$database->Query();
			if ($user->guest)
				$database->SetQuery("SELECT COUNT(*) FROM jos_comment_voting WHERE id='" . $item['id'] . "' AND ip='" . $_SERVER['REMOTE_ADDR'] . "'");
			else
				$database->SetQuery("SELECT COUNT(*) FROM jos_comment_voting WHERE id='" . $item['id'] . "' AND user_id='" . $user_id . "'");
			$exists = $database->loadResult();
			if (!$exists) {
				$item["voting_$mode"]++;
				$database->SetQuery("
							UPDATE jos_comment SET
							voting_$mode='" . $item["voting_$mode"] . "'
							WHERE id=$this->_comment_id");
				$database->Query() or die('Database error: voting(1)!');
				$database->SetQuery("INSERT INTO jos_comment_voting(id,user_id,ip,time)
							VALUES(
							'" . $item['id'] . "',
							'" . $user_id . "',
							'" . $_SERVER['REMOTE_ADDR'] . "',
							'" . time() . "')");
				$database->Query() or die("Database error: voting(2)!");
			}
		}
       	$header = 'Content-Type: text/xml; charset=utf-8'; //.$this->_local_charset;
		header($header);
		$xml = '<?xml version="1.0" standalone="yes"?><voting><id>' . $item['id'] . '</id><yes>' . $item["voting_yes"] . '</yes><no>' . $item["voting_no"] . '</no></voting>';
		$this->_comObject->cleanComponentCache();
        exit($xml);
    }

Tiles

CMC

CMandrill

FFGate

CUpdater

CNotes

Mydigipass

CSlideshow

Pricing

Joomla! Development

Joomla! Security

App Development

Angular 2

Official releases

Developer releases

Languages

Help Desk

Support policy

Hotspots

Matukio Events

CComment

Ctransifex

CMC

CNotes

CMigrator

CMandrill

MyDigipass

CForms

CForms for WordPress

Video Tutorials

Changelogs

Matukio API Docs

Team

Joomla Commitment

Privacy Policy / Imprint

Notice

TOPIC: Vote System