Securing Web-Based E-Voting System Using Captcha and SQL Injection Filter

The electoral system is very necessary in the democratic life of students, especially to elect a senate chairman in a higher education environment. The use of conventional electoral system is slow, inefficient


INTRODUCTION
Indonesia adheres to the concept of democracy based on the 1945 Constitution (UUD 1945) of the Republic of Indonesia. Elections are an important part of the democratic process in Indonesia. The general election, so far, has been conducted conventionally, in which the participants secretly cast a number or photo of the candidate on the ballot paper provided by the committee. However, conventional selection has several weaknesses. According to Seftyanto et al., there are at least 4 (four) main problems in conventional elections, namely logistics distribution, the ballot counting process that is too long, inconsistent regulations related to vote counting, and the potential for errors or fraud in vote recapitulation [1].
In the higher education environment, the example of democratic life that is easiest to see and encounter is the election of a student senate chairman. In such an activity, all students, without exception, can contribute their voting rights in accordance with applicable rules. Like the presidential election, student elections are also still conducted conventionally. To overcome the limitations that may occur in conventional elections, many researchers offer the application of electronic-based systems called electronic elections [1], electronic polling systems [2], Internet voting systems [3], or e-voting [4][5][6][7][8][9][10]. E-election or e-voting is assumed to solve these problems by utilizing Information and Communication Technology (ICT). E-voting is indeed different from traditional systems and all characteristics of Langsung, Umum, Bebas, and Rahasia (LUBER) can be fulfilled by an e-voting except the "Langsung (Direct)" aspect. This is because e-voting provides flexibility for voters not to come directly to the polling station but simply vote from anywhere as long as there is access to the website.
E-voting systems can reduce the use of paper because it is based on digital technology. E-voting aims to increase participation, reduce costs, and improve the accuracy of results. However, data integrity and security [11] are the most important parts that must be considered in building e-voting system. An e-voting system for student election [8] can be securely conducted based on website [12] by implementing security mechanism such as SQL injection filter [13] and password or captcha [14]. Darmayunata et al. developed an e-voting system with a focus on the problem of using a lot of paper, a long announcement time, and a large cost [15]. The system was implemented in a state junior high school i.e. SMPN 10 Pekanbaru. However, this system only uses passwords as a security mechanism, which is certainly easy to be manipulated by robots or non-human participants.
The e-voting method can be used as an alternative media in electing student leaders because it can answer the challenges of developing digital technology quickly. Suprianto et al. [16] implemented an e-voting method at a vocational high school i.e. SMK 13 Bandung for the election of OSIS chairperson and can provide accurate, fast and reliable voting results. It also can reduce the number of students who do not vote and do not want to interfere with the learning process. However, the system is not accompanied by security mechanisms to prevent the attempts of brute force attacks. Adekitan et al. [17] proposed an electronic voting system developed using Visual Basic and Microsoft Access Database. The application authenticates the selector by verifying a previously issued pin that is unique to each voter. However, the pin can be guessed by a machine or robot by trying all possibilities.
In this study, an e-voting system was designed and implemented for student election with a case study at the Sekolah Tinggi Sandi Negara (STSN), Bogor, West Java. This system was created using the PHP programming language and MySQL database [18] which can be run using a web page browser. To prevent potential computer programs or robots from conducting brute force attack on log-in phase, captcha-based verification is used in our proposed system. In addition, we also implemented SQL injection filter and limited time for preventing illegal attempt by human. The system is then tested using a black box method to determine the 279 suitability of the system design with needs. The result of the research is an e-voting system that satisfies the prevention test of SQL injection and non-human participant attacks.

Problem Analysis
The main problem to be solved in this research is the inefficiency and vulnerability in the conventional system of student general election with a case study of STSN. The solution offered is a web-based e-voting system with a login security mechanism in the form of captcha and SQL Injection filter. By implementing an e-voting system, the use of paper and queuing processes can be avoided so that it becomes more efficient compared to conventional processes. The use of captcha is intended to prevent robots or machines from being involved in voting, while the SQL injection filter is used to prevent unauthorized users from entering the system.

2 Research Method
The method used in this research is system design using the System Life Cycle (SLC) which consists of the planning, system analysis, system design, implementation, and testing phases. At the planning phase, data collection on the voting and e-voting systems is carried out. The voting system data is taken from the Student Election Commission. Data taken such as the name of the candidate and the data of students who are voters. This is the material for designing the system and database design. At the system analysis phase, the input, process and output of the e-voting system are identified. Inputs needed are Student Identification Number (NPM), tokens, captcha, and the choice of candidates from voters. Process analysis is the definition of an e-voting system scheme in the form of functions that will be used in the system to process input from voters and produce an output. Output is the result of a system that has been given input from the voter. Output can be in the form of information to voters or in the form of data that will be re-processed by the system. At this stage the system database design analysis is also carried out. The system will be developed based on web, which can be accessed through a browser connected to the network created by the committee. This system was built using the PHP programming language, HTML, CSS with a database using MySQL.
At the system design phase, input design is performed on the system consisting of input data selector such as NPM, tokens, captcha, and options. Input of NPM data and tokens from this selector will be checked by the system to ascertain whether the voter has selected or not selected and the data is used for login. Another data input from the voter is a candidate choice, which will be sent to the database. The output design of this system is twofold, namely: information about the candidates for the Student Senate Chair to be selected (name, photo, and serial number) and when the voter has chosen, the system will provide voter ID and the number of candidates for the student Senate Chair chosen. Database design compiled in the form of tables needed by the e-voting system using MYSQL. The design process describes the sequence of commands carried out by the system on each voter input as well as existing functions. The design of this function consists of voter login, candidate selection, captcha function, giving ID to voters, saving votes to database. At the implementation phase, the proposed system is implemented with the following environment. The software used is Microsoft Windows 10 Professional, XAMPP Server 3.2.2, PHP 7, HTML 5, MySQL 5.7. The hardware used is a laptop with AMD A8 Processor specifications, 8GB DDR3 Memory, 500GB Hard Drive. The final phase is the testing. At this stage, error detection is performed on the system and ensures that every input entered produce the appropriate output. Testing is done using the blackbox method. This research develops an e-voting system with a case study of the general election of the chairman of the STSN Student Senate. The e-voting system must have several parameters that guarantee the fulfillment of the principles of elections. In this study, the e-voting system has fulfilled the following parameters: only registered voters who have validated the student general election commission (KPUM) can enter the e-voting system and vote; each voter can only cast one vote on his choice and every voter who has made an election cannot make another election or correct his choice; the choice of the voters withheld, the voter will get the ID of the choice stored in the database. Only the voter knows the ID he got; new voters can vote in the time period specified by the KPUM. After the electoral time is over, voters cannot vote; voting is done after the election time is over. the vote count is witnessed directly with voters and voters can check whether or not the choice is changed based on the ID that was obtained at the time of the election; and every voter will be given a token when validating at the time of the election at the polling station and the token will be used for voter verification on the e-voting system verification page.

Analysis of System Requirements
At this stage, an analysis of functional and non-functional requirements of the e-voting system is carried out.

Functional Requirements
The functional requirements of the proposed system, in general, consists of voter verification, voting, and votes counting phases. In voter verification phase: the system can verify voters based on NPM, tokens, and captcha, so voters who are not registered or logged in cannot enter the e-voting system. In voting phase: verified voters can enter the e-voting system and vote; voters can only vote once; the identity of the voter is not related to the choice he chooses (this becomes a part of secrecy, instead the voter will get a random ID that will be associated with his choice). In vote counting phase: the vote count is done after the voting time is over, the system will read the votes that have been entered into the database in the voting process; the vote counting process can be seen by all voters and the results of the calculation will appear in a graphical form.

Non-Functional Requirements
The non-functional requirements of the proposed system are ease of system, performance, and network security. The system is built with user-friendly displays, so it is easy to use by voters. With a simple ballot design, the system displays only photos, serial numbers, and names of candidates. The system can run well, supported by adequate hardware and network devices from both sides of the client and server. The system runs using a local network so that only clients connected to the server can access the e-voting system. The password entered by the users will be converted to value of eight characters using SHA-1 algorithm.

General Description of the System
The system developed in this study is a web-based e-voting system that has three main modules, Voter Verification Module: This module is used by voters to verify that the voter has the right to vote. In this module there are NPM, token, and captcha forms that must be filled out by the voter. Captcha is used to prevent any robot that will do brute force on the verification page; Voting Module: This module is the main module in the e-voting system. In this module voters can vote for candidates; voters can only vote one vote and cannot change their choices after confirming the choice; and Vote Counting Module: This module is a module for counting votes after the voting time is over. This module reads incoming votes from a database that was previously entered by the voter in the selection module.

System Design 3.3.1 Verification Phase
The design of this function is used to validate the voters and will enter the e-voting system if the data entered in the form of NPMs, tokens, and captcha are valid. This function is performed by the voter when the voter is inside the voting booth and the flow is in Figure 1.

Voting Phase
The voting phase is the main function in the e-voting system. In this function the voter can only cast one vote on his choice and cannot change his choice after confirming. Voters will get an ID when confirming their choice, this ID has a relation with the selected voice. The ID is only known by the voter so that the voter can ensure that his choice is not manipulated. The flow of this function is given in Figure 2.

Vote Counting Phase
In this phase, the committee summed up the votes one by one that entered and witnessed directly by voters. During the vote count, the incoming voice and the ID that selects the sound will be displayed. Voters who watch live can check their IDs and their choices are not modified. The flow of this function is given in Figure 3.

Database
The database on this e-voting system was developed using MySQL. The database consists of five tables, i.e. Data_Candidate, Data_Voter, Data_Vote, Data_Ballot, Data_User. 1) Data_Candidate: the table is used to store data in the form of data names, and the serial number of candidates for the senate chairman to be selected, as presented in Table 1. 2) Data_Voter: used to store voter data that will make a selection and voter status. Fields and data types are summarized in Table 2.  3) Data_Vote: used to store vote data such as tokens and token statuses. Fields and data types are summarized in Table 3. 4) Data_Ballot: The table is used to store the vote data entered in the e-voting system. Fields and data types are summarized in Table 4. Enum ('0','1') -Status of the ballot (0= already counted, 1=not yet counted) 5) Data_User: to store admin data that is used to log into the system. The fields and data types used are summarized in Table 5.

System Implementation
The implementation of this e-voting system uses the PHP programming language and MySQL database and it is described according to the main phases of the proposed system as the following. 1) Voter Verification phase: Voters validate directly to the election organizing committee or KPUM to get a token that will be used for verification on the voter verification page, as in Figure 4 (a). After the voter gets the token, voters can go directly to the voting booth to be used for selection and on the computer a verification page is available which contains the NPM, token, and captcha forms. Voters must fill out the form correctly in order to proceed to the selection stage. NPMs and tokens can only be used once that represent one vote.
2) Voting phase: On the election page, voters will the pictures of the candidates who will be the student senate leaders, as in Figure 4 (b). After the voter enters the election page, the voter will get an ID automatically, as in Figure 4 (c). The ID will be evidence to verify that the voter chose the candidate he chose. Voters can only choose one candidate. When voters choose one of the candidates, a notification pop-up will appear that will confirm whether the voter is sure to vote for his choice. The IDs obtained are random and not sequential following the voter queue. ID is used to prevent the manipulation of votes chosen by voters and keep voters' data confidential, as in Figure 4  3) Vote Counting phase: On the vote count page only the admin can open it, because it uses session admin. This page contains the total votes entered, the voter ID, and the votes entered by the voter ID, as shown in Figure 4 (e). Vote counting will start when the election time is over and the process will be witnessed directly by voters. At the time of vote counting, the voter can verify his choice whether or not it has been modified by matching the ID and vote that are being displayed on the screen.

System Security
This e-voting system implements several security measures, the security includes: 1) Application of captcha. Captcha is applied to prevent automatic filling of form done by robots or computer programs by using bruteforce method, that is, trying all possible keys. Captcha is easily traversed by humans, but difficult for robots or computer programs because captcha is always arbitrary and random. The captcha is implemented as in the following snippet. $white = imagecolorallocate($image, 255, 255, 255); $black = imagecolorallocate($image, 0, 0, 0); imagefill($image, 0, 0, $black); $font = "fonts/font.ttf"; imagettftext($image, 30, 5, 120, 40, $white, $font, $captcha); header("Content-Type: image/jpeg"); imagejpeg($image); imagedestroy($image); } 2) SQL injection filter. The verification form character check is used to prevent SQL injection. The prevention mechanism uses the mysqli_real_escape_string function so that special characters and spaces, as in Table 6, are not permitted and the system will refuse by giving an error warning. If the NPM, token, or captcha fields are entered with characters other than the alphabet or numeric then the SQL injection filter will work and the system throws the verification page to the error page as shown in Figure 4 (f). The snippet of the mysqli_real_escape_string function is given as following.

System Testing
System testing based on functional and non-functional requirements has been carried out using the black-box testing method and the results can be seen in Table 7. Testing e-voting system simulation using a client-server system, the KPUM Admin acts as a server and provides several clients connected to the server using a cable. The voter queue is based on attendance at the time the election will take place. The ballot paper displays the candidate's information clearly, the results of the choice chosen by the voter are not related to the voter's identity, the voter will get an ID that is related to his choice. The system can display the results of voting in the form of total votes entered and a graph of the results of votes from each candidate.

CONCLUSIONS
Digital elections or often called e-voting can be a solution to save the use of resources in the form of paper, energy, and time in the vote counting process. In this research a secure evoting system has been developed that has a user friendly procedure and appearance. The procedure consists of a verification system, a voting system and a vote counting system. This system can display the results of voting when the voting time has finished. The vote counting process is witnessed directly by voters to ensure that there is no fraud in the calculation. This system uses captcha and SQL injection filters to prevent the selection of computer programs or robots. The system has been tested on several students by providing a form of questions to be answered in accordance with the results of the system trial. The results of the testing as needed and the simulation met the required requirements.