> I can think of one way that you can take in an attempy to prevent
> this. It is not totally fool proof but it will make it more difficult
> to send spoof data:
> 1) Check your HTTP refereer when the form is submitted. If the
> referer is not from your host then don't process the form.
> Of course this can be faked quite easily if this person knows
> what (s)he doing.
Well, this was part of what I was going to do. I was going to check
to see if the request method was post and if the referer was from
our host (not just the form/page). If all that was true, then process
the form. If not, don't.
However, I know that the $HTTP_REFERER variable is not at all
reliable. On that note, what browsers/versions would not send this
information for Apache/PHP to set? I know it is because of the browser
that the client is using that this variable is unreliable. But what those
browsers/versions are, I don't know and am hoping someone can
answer.
Chris
