How do I secure this code? jQuery and Codeigniter

Question

I m building a little multiple choice app. The below two options are generated from a query. After one of them is pressed, ajax sends data to a table, the "next" button is inserted and when pressed two more options are available.

I just noticed that if an element with the id="4" and class="pick" is copied and inserted in the html through the inspect element option, id 4 can be voted over and over ... wwhat's a good way to prevent this?

<ul class="thisClass">
    <li class="first"><a href="#" class="pick" id="4">mercedes</a></li>
    <li class="last"><a href="#" class="pick" id="8">alfa romeo</a></li>          

</ul>

The jQuery

$('.thisClass').on('click', '.pick', function(e) {
    e.preventDefault;

    var pickID = $(this).attr('id');
    var notPickID = $('.pick').not('#' + pickID).attr('id');

  $.ajax({
         type: "POST",
         url: "http://mywebsite.com/index.php/home/user_pick",
         data: {pick : pickID, notPick : notPickID},
         success:
              function(data){

                $("ul.thisClass").html(data.content);

                $("div#next_button").html('<a href="#" class="next" id="next">Next</a>');

              }
          });
     return false;
});

Answer 1

You need to send back to the server all the info needed to ensure there are no duplicates.

1. The userID
2. The surveyID
3. The questionID
4. The answerID

When you get the values on the server items 1, 2, & 3 must be a unique combination... otherwise the user is trying to submit multiple answers (intentional or otherwise).

Note: That if your questions are not tied to a survey consider #2 above as optional when determining uniqueness.

In addition... once you've registered the user's answer to a given question you could have your AJAX return a flag that tells you that your JavaScript code should disable that question or display it in a "done" state so that the user doesn't try to re-answer it.

Answer 2

In fact, they don't need to copied and inserted in the html through the inspect element option to "hack" your website, just send a POST request with data {pick : pickID, notPick : notPickID} to http://mywebsite.com/index.php/home/user_pick and your website is down. You must do the validation at server side.

A good approach to solve this problem is to prevent multiple pick from the same user (or same IP address if your picking system do not require an account), get the UserID or UserIP in your controller to check if the user is picked or not.