Thread: Can you believe it?!?!?
View Single Post
  #8 (permalink)  
Old 10-07-03, 12:44 PM
rob2132 rob2132 is offline
Newbie Coder
  
Join Date: Sep 2003
Location: USA
Posts: 78
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by Archbob
No,
Hotscripts voting code is not on their site. It is a simple form code that users cut and paste to their sites. This saves Bandwidth majorly over the iframe method but however, leaves the way for cheating unfortunatey, by unethical members.
I figured as much (as you can see above), so I once again recommend the "confirmation" of the vote "scoring" on the hotscripts.com side. Thus, no matter what they change, the user would have to confirm or refuse (and report the 'abuse' which should be another option) the score on the end the site doesn't have control over. It would be so small that bandwidth considerations would not be an issue. A simple form with a button to confirm or deny the vote. However, this would have to be session based, where it would create a random session from the initial vote to be able to ensure there was an initial vote score posted to the hotscripts.com voting script, and then require a confirmation.

This would be the only way to ensure that the abusive site didn't just post directly to the 'confirmation' side of the process. it would be pretty simple and fail safe as well--unless the site owner created some scripts to do some very interesting and sneaky things--like have a script on their end post to, grab and parse the response from hotscripts.com's own voting script output, including the 'session' and then have the user post to it or have the script itself automatically post back to it and 'confirm' the vote. Most people are clueless how to go about doing that, even if it is quite simple to do.

However, that problem too, can be overcome by simply checking the session against the requesting and posting IP, to ensure they are the same. This would mean that any script on the other end (abuser's side) would have to send out from that systems' IP/ethernet IP. That would not match the user's own IP for the following confirmation. If they didn't ever use the actual voter's IP, you'd have on record that it was the site's own IP, which would only be allowed to post once anyway and then it would deny them from voting again. Thus, short of changing the IP of the site or masking script they could use, it would allow them to trick one user with one vote and then they couldn't get by that after that without changing their site IP (or worse, the ethernet IP), which would not pay to do and would be unlikely. Well, that's my suggestion anyway, it's all very simple to do.
Reply With Quote