update: the title was just in jest so please don’t get too offended anyone =) upon thinking about this problem a little more, the solutions are all rather similar to the solutions for blog comment / social media spam. if you want to be 100% sure a human is voting, then you have to use a moderately strong CAPTCHA. That still leaves you open to unsophisticated human-powered attacks. Read on for one simple, 30-min fix based upon IP restriction per time period.

There you are, a recent college graduate, fresh out of school and working for some giant media conglomerate.

Your boss comes to you with an assignment, assuring you it should only take a few hours or less to “whip something up.” (the dreaded phrase)

You get all of the basic, core functionality complete. But then some smart-ass coworker asks, “what will you do about ballot stuffing?”

Feeling particularly lazy that day, you blow him off and decide to punt on the issue.

So you forgo writing any kind of rudimentary multiple vote checking…

Until Today

Adding this is literally about 25-50 lines of code in any language, perhaps more if you want to get crazy with blocking IP subnets / proxy servers.

You might be wondering, what about users sharing the same connection or proxy server? Tough luck for them.

If you don’t limit it to X votes per IP per day/hour/week/whatever, you have just opened yourself up to unlimited “hacking” of your ballot by any coder / script kiddy who takes 5 minutes to view source & write a basic ballot stuffer.

And by all means, if you want to open the voting up to infinite votes per IP address… that’s cool too. Just don’t complain when 5,000 votes come from the same IP.

So… no excuses

Our example “poll_ips” lookup table.

id | poll_id | ip_address   | created_at
-------------------------------------------------
1  | 27      | 65.92.69.215 | 2007-09-04 01:27:16
2  | 27      | 27.39.27.15  | 2007-09-12 22:01:47
3  | 27      | 82.47.45.92  | 2007-09-12 23:10:36

Pseudocode

#IP address is in variable $ip, 24 hours ago from now stored in $day_ago

SELECT * FROM poll_ips WHERE ip_address = $ip AND created_at > $day_ago;

IF any results?
 # YES: do not count the vote, return
ELSE
 # Check Banned IP Subnet / Proxy Server List
 IF in a banned IP subnet / proxy server list?
   # YES: do not count the vote, return
 END
END

IF we get here, we're all good.
  # DO IT -- count the vote like we normally would... and:
  # Insert the voter's IP address into our "poll_ips" table:
  INSERT INTO poll_ips ('poll_id', 'ip_address', 'created_at') VALUES ($poll_id, $ip_address, CURRENT_TIME())
END

And PAZAAAM, you’ve got a less hackable voting system in about 30 minutes of work.

You now proudly boast on your blog, “Ron Paul supporters, bring it on baby!”
Real-live Rails code…

If pseudo-code is not your thing, here is some real live Rails code (slightly adapted for this example) that I use in production:

stat_log = StatLog.find(:first, :conditions => ["ip_address = ? AND DATE_SUB(CURDATE(), INTERVAL 1 DAY) <= created_at", ip_address])
# Only log it if we haven’t seen them before in 24 hours and they have a valid referrer
if (stat_log.nil?) && (not referrer.nil?)
	content_item_id = nil
	StatLog.create(:content_item_id => content_item_id, :ip_address => ip_address)
end