Support/Comments for Polls Module - My Forums

sql injection vulnerability

stevs — May 16, 2011, 10:29 AM

Good little module but it does not sanitize its input. I would recommend adding mysql_escape_string to the following lines

$results = $modx->db->select('*', $iptable, 'ipaddress=\'' . $useraddy . '\' AND pollid=' . mysql_escape_string($_POST['poll_pollid']), '');
...
$sql = "UPDATE " . $polltable . " SET votes=votes+1 WHERE id=" . mysql_escape_string($_POST['poll_pollid']) . ";";
$modx->db->query($sql);
$sql = "UPDATE " . $choicetable . " SET votes=votes+1 WHERE id=" . mysql_escape_string($_POST['poll_choice_id']) . ";";
$modx->db->query($sql);

better yet is to add an is_numeric check for both these variables before reaching the DB insertion point

Re: Support/Comments for Polls Module

jsor — Sep 06, 2010, 04:25 AM

Quote from: PaulGregory at Aug 21, 2006, 05:54 PM

No need to pass through ID, it picks up the most recent one

I was wondering if there was a way to do this?

Re: Support/Comments for Polls Module - votes not logged

Szakul — Jul 08, 2010, 03:52 PM

Quote from: jj0101 at Jan 05, 2010, 03:36 PM

Hi all

I have added the 2 snippets and module which all look fine, however the when I vote, it doesn’t log it (ie the module still shows zero votes).

I am using the basic call from the documentation: [!pollvote? &pollid=`1` &redirect=`1` &onevote=true &ovmessage=`You can only vote once` &resultsbutton=true!] and have setup a poll with id = 1.

If anyone has any ideas I would appreciate it!

Thanks.

jj0101 are You still interested in solving Your problem ?

I had the some problem. You have to use &useip=true and &onevote=true together. Then ip numbers will be added to the table in mysql base.

Re: Support/Comments for Polls Module - votes not logged

jj0101 — Jan 05, 2010, 09:36 AM

Hi all

I have added the 2 snippets and module which all look fine, however the when I vote, it doesn’t log it (ie the module still shows zero votes).

I am using the basic call from the documentation: [!pollvote? &pollid=`1` &redirect=`1` &onevote=true &ovmessage=`You can only vote once` &resultsbutton=true!] and have setup a poll with id = 1.

If anyone has any ideas I would appreciate it!

Thanks.

Polls Module: Anyone Have Live Example?

oldwebdude — Apr 29, 2009, 01:26 PM

Contemplating adding this to my site but number of posts/problems have me freaking a bit... that plus lack of a live example to follow to understand the CSS nesting/order to set up the poll in HTML.

Any examples or anyone advise staying away from this particular module? Would like to use it and can see the time and effort Garry has put into support and updates (which has been great), altho I’m noting not a lot of posting here all around lately... hmm...

TYVM - any advice/help appreciated!

Re: Support/Comments for Polls Module

lastoftheromans — Apr 03, 2009, 04:51 AM

hello guys,

where i can see IPs who voted?
In my BD i cant`s see this info...

Re: Support/Comments for Polls Module

Sedgar — Dec 24, 2008, 08:00 AM

Found JS error under IE in pollmanager_module.txt

Re: Support/Comments for Polls Module

fazzz — Jul 10, 2008, 08:29 AM

does anybody can help me please in the following issue - i want to use pictures or links to pictures instead of text of the poll answer? is it possible? what should i do for that?
thanks in advance.

Re: Support/Comments for Polls Module

Taff — Jan 08, 2008, 06:26 AM

Read my post at the top of this page. I had to do something similar for a client not that long ago, and have documented the changes I made there.

Hope that helps,
Taff

Re: Support/Comments for Polls Module

richardjj — Jan 07, 2008, 01:27 PM

Hi there,

I’d like to know if its possible to customise this module so that only members are allowed to vote? How would one go about setting this up?

thanks

R