I can think of one way that you can take in an attempy to prevent
this.
It is not totally fool proof but it will make it more difficult
to send spoof data:
1) Check your HTTP refereer when the form is submitted. If the
referer is not from your host then don't process the form.
Of course this can be faked quite easily if this person knows
what (s)he doing.
> > It is possible (I've done it) to find out all the variables
> > that make up a form on a particular site, generate a
> > similar form on your site with that form's action being
> > the CGI/PHP script that the particular site uses to process
> > the form once submitted, modify the values for the form
> > variables to be anything you want and submit the form
> > that resides on your site. This will basically submit totally
> > fabricated data to the foriegn site and possibly screw them
> > up somehow and/or in some way.
> >
> > Is there any way to defend against this? Is there any way
> > to ensure that when a form is submitted that the submission
> > request originated from your site/domain and not somewhere
> > else?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
