Addressed to: "Chris" <[EMAIL PROTECTED]>
[EMAIL PROTECTED]
** Reply to note from "Chris" <[EMAIL PROTECTED]> Thu, 1 Mar 2001 15:43:25 -0800
>
> Would it not be possible to have both the form page and the script page that
> handles the form be generated o the fly with random filenames?
>
> The form page would point to the random generated script page, and the
> script page could delete itself after it is proccessed. You would also want
> a cron to delete any files in case they never bothered to submit the form.
>
> Can anyone see a problem with this?
That makes it a little harder, but I can just view source and hit the
page a couple of times, and I will see that the Action="" in the <FORM>
tag changes and know I have to go back one step to get it. If I have to
I can emulate a person coming in from the home page, walking all the
links to the form, then entering it.
I hit the page that generates the random name.
It returns the random name.
I use it in my following request to get the form.
I fill in the form and send it.
Maybe you can make it 'not worth the effort' for a hacker, but be
careful you don't make it 'not worth the errort' for your legitimate
visitors.
The big problem you have, is if I can fill it in by hand, I can watch
what passes over the network and write a program to emulate it. What a
browser can do is very limited, and even things like headers that are
not normaly visible when you view source are visible to a network
sniffer.
Rick Widmer
Internet Marketing Specialists
http://www.developersdesk.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
