PHP Voting problem - Block websites

PHP
1

Greetings everyone,

I have a Voting system that requier to input username to vote and chose one of 4 websites .

The problem i have is that on voting i give points to members, and there are people that found a way to " hack " if i can say and put forregin websites that i don’t have on my voting system and they get points for voting on something i don’t have .
Here is where i got lost. I don’t know how to fix it! I heard that i need to do something in config.php and don’t know what!

Here example of my config.php file :

<?php
//Points added for voting
$Point = 100;
//Voting site links
$votesite = array(
	"http://example-votingsite1.com",
	"http://example-votingsite2.com",
	"http://example-otingsite3.com",
	"http://example-votingsite4.com");
//Time between voting, in minutes
$time_needed = "720";
//MSSQL Connection information
$mssql = array(
          'host' => "host",
          'user' => "user",
          'pass' => "pass"
        );
			
?>

Those are the websites i want people to vote. But as i said, i don’t know how some manage to use other websites from the ones i have and they get the points i ofer on vote.

Any help / points are welcome .

2

You didn’t show any code for the inputs, sanitation/validation, or database, but can’t you add an in_array somewhere?
If you’re using a text input, would not radios/checkboxes/select be better for something you want to be limited to only those choices?

3

My imputs are radio type. Here is the other two codes files:

Votenow.php

<?php session_start(); ?>
<html>
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
		<title>Points for Voting</title>
		<style type="text/css">
			body
			{
			   margin: 0;
			}
		</style>
	</head>
	<body bgcolor="#202020" text="#FFD700">
		<?php
			if(isset($_SESSION['error']))
			{
				echo "<script type='text/javascript'>alert('".$_SESSION['error']."')</script>";
				unset($_SESSION['error']);
			}
		?>
		<div id="wb_Text1" align="left">
			<font style="font-size:11px" color="#ffffff" face="Arial">You can vote every 48 hours. 1 vote = 100 Points</font>
        </div>
		<img src="http://www.example.com" border="0" alt="My website" >
		<img src="http://www.example.com" border="0" alt="My website" >
		<img src="http://www.example.com" border="0" alt="My website" >
		<img src="http://www.example.com" border="0" alt="My website" >
		
        <div id="container">
            <div id="wb_Form1" align="left">
                   <form name="Form1" method="post" action="vote.php" id="Form1" target="_new">
                        <div id="wb_Text1" align="left">
                            <font style="font-size:11px" color="#FFD700" face="Arial">Account name:</font>
						</div>
                        <input type="text" id="Editbox1"  name="UserID" value="">
                        <input type="submit" id="Button1" name="Button1" value="Vote">
						<div id="wb_Text2" align="left">
                            <font style="font-size:11px" color="#FFD700" face="Arial">Vote Site:</font>
						</div>
						<input type="radio" name="siteID" value="1" checked> example<br>
						<input type="radio" name="siteID" value="2"> example<br>
						<input type="radio" name="siteID" value="3"> example<br>
						<input type="radio" name="siteID" value="4"> example
                    </form>
			</div>
            </div>
		</div>
	</body>
</html>

Vote.php

<?php
// Report all PHP errors (see changelog)
error_reporting(E_ALL);
require_once("config.php");
session_start();

$conn = odbc_connect("Driver={SQL Server Native Client 11.0};Server=".$mssql['host'].";", $mssql['user'], $mssql['pass']) or die ('Konnte keine Verbindung zur Datenbank herstellen. Bitte stellen Sie sicher, dass Sie die Login Daten für die Datenbank richtig eingegeben haben.');
$ip = $_SERVER['REMOTE_ADDR'];
$UserID = isset($_POST['UserID']) ? $_POST['UserID'] : '';
$SiteID = isset($_POST['siteID']) ? intval($_POST['siteID']) : 1;
$date = date("Y-m-d G:i");

if($SiteID > count($votesite) && $SiteID <= 0)
{
	$SiteID = 1; //They tried to make their own ID
}

if (empty($UserID))
{
	$_SESSION['error'] = "You did not enter a account name! Please try again.";
	header("location:votenow.php");
}
else
{
	$sql1 = odbc_prepare($conn, "SELECT * FROM PS_UserData.dbo.Users_Master WHERE UserID = ?");
	odbc_execute($sql1, array($UserID));
	$count1 = odbc_num_rows($sql1);

	if($count1 == 0)
	{
		$_SESSION['error'] = "Account not found. Please try again.";
		header("location:votenow.php");
	}
	else
	{
		$sql2 = odbc_prepare($conn, "SELECT * FROM PS_UserData.dbo.USER_VOTES WHERE UserID = ? AND SiteID = ?");
		odbc_execute($sql2, array($UserID, $SiteID));
		$count2 = odbc_num_rows($sql2);

		$voted_date = odbc_result($sql2, "date");
		$to_time = strtotime($voted_date);
		$from_time = strtotime($date);
		
		if($count2 > 0)
		{
			if (round(abs($to_time - $from_time) / 60,2) > $time_needed)
			{
				$sql3 = odbc_prepare($conn, "DELETE FROM PS_UserData.dbo.USER_VOTES WHERE UserID = ? AND SiteID = ?");
				odbc_execute($sql3, array($UserID, $SiteID));
				$sql4 = odbc_prepare($conn, "INSERT INTO PS_UserData.dbo.USER_VOTES (UserID,ip,date,SiteID) VALUES (?,?,?,?) ");
				odbc_execute($sql4, array($UserID, $ip, $date, $SiteID));
				$sql5 = odbc_prepare($conn, "UPDATE PS_UserData.dbo.Users_Master SET Point = Point + ? WHERE UserID = ?");
				odbc_execute($sql5, array($Point, $UserID));
				header("location:".$votesite[$SiteID-1]);
			}
			else
			{
				$_SESSION['error'] = "You have already voted on that site in the past 48 hours!";
				header("location:votenow.php");
			}

		}
		else
		{
			$sql6 = odbc_prepare($conn, "SELECT * FROM PS_UserData.dbo.user_votes WHERE ip = ? AND SiteID = ?");
			odbc_execute($sql6, array($ip, $SiteID));
			$count3 = odbc_num_rows($sql6);

			if($count3 > 0)
			{
				$_SESSION['error'] = "That IP has already voted on that site in the past 12 hours!";
				header("location:votenow.php");
			}
			else
			{
				$sql7 = odbc_prepare($conn, "INSERT INTO PS_UserData.dbo.user_votes (UserID,ip,date,SiteID) VALUES (?,?,?,?)");
				odbc_execute($sql7, array($UserID, $ip, $date, $SiteID));
				$sql8 = odbc_prepare($conn, "UPDATE PS_UserData.dbo.Users_Master SET Point = Point + ? WHERE UserID = ?");
				odbc_execute($sql8, array($Point, $UserID));		
				header("location:".$votesite[$SiteID-1]);
			}
		}
	}
}
odbc_close($conn);
?>
4

I’m no security expert but I cannot see how anyone could add their own site to your database via that form. You don’t store the URLs in the database there, only siteID. Your range check for SiteID won’t work, though, because you use ‘&&’ instead of ‘||’ for the out-of-bounds check (the value can never be higher and lower than the allowed range), but as the form is presenting a radio button I can’t see how it would present a value out of range.

How is the user-added site manifesting itself?