Would it not be possible to have both the form page and the script page that
handles the form be generated o the fly with random filenames?
The form page would point to the random generated script page, and the
script page could delete itself after it is proccessed. You would also want
a cron to delete any files in case they never bothered to submit the form.
Can anyone see a problem with this?
> > I can think of one way that you can take in an attempy to prevent
> > this. It is not totally fool proof but it will make it more difficult
> > to send spoof data:
> > 1) Check your HTTP refereer when the form is submitted. If the
> > referer is not from your host then don't process the form.
> > Of course this can be faked quite easily if this person knows
> > what (s)he doing.
>
> Well, this was part of what I was going to do. I was going to check
> to see if the request method was post and if the referer was from
> our host (not just the form/page). If all that was true, then process
> the form. If not, don't.
> However, I know that the $HTTP_REFERER variable is not at all
> reliable. On that note, what browsers/versions would not send this
> information for Apache/PHP to set? I know it is because of the browser
> that the client is using that this variable is unreliable. But what those
> browsers/versions are, I don't know and am hoping someone can
> answer.
>
> Chris
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
