Hi Phill, Yes I see. So a script that POST's to itself can be made more secure than a 2 part script of form and script, since you can use PHP to setup the mechanism before the POST to test for. Thanks. I'll tinker with that.
Also some comments on what not may be obvious to others in creating a secure script: 1. Only allow the form to send limited data from the form to the form POSTed email address. 2. Better yet do not send an email to the form POSTed email address at all. 3. scrub all POST data for special characters like \n, \r, \0, and comma's. You might even use something like htmlspecialchars() to convert things like <,>, ",', and so on. 4. Do not put the recipient email address as a hidden form input. Put it in the script. Sincerely, Mike -- Mike Brandonisio * Web Hosting Tech One Illustration * Internet Marketing tel (630) 759-9283 * e-Commerce [EMAIL PROTECTED] * http://www.jikometrix.net JIKOmetrix - Reliable web hosting On Aug 2, 2006, at 2:56 AM, Phill Sparks wrote: > Hi Mike > > This is quite an interesting problem that many people face. One issue > to be aware of is that often many people share the same public IP. > For example I am on NTL (in england) and all of my internet traffic is > routed through a local proxy by my ISP. What web servers see is the > IP Address of the proxy not the IP Address of my house, or even my > machine. > > If you do wish to use this approach perhaps consider storing the > users's IP along with the time they visited; your scripts can then > easily delete any entries that are more than [some amount of time] > old. I would suggest that you might make an allowance for a time of 0 > and exclude this from the delete query so that you can add a list of > IP Addresses to block forever. > > Most scripts do not use cookies, and do not use the form itself (but > rather submit directly themselves). You can use this information to > your advantage. When the user visits your form generate a random > number (or if your site uses sessions use the session id) and add it > hidden to your form, at this point record somewhere that the user has > visited the form itself and when they visited. When they submit the > form check the database for your random number to find out a) if the > user visited the form itself and b) if/when the user last submitted > the form. This way scripts must use your form to submit data (rather > than submitting it directly). > > Hope this helps, > > Phill > > On 02/08/06, Mike Brandonisio <[EMAIL PROTECTED]> wrote: >> >> Hi, >> >> Does anyone have a good technique to prevent someone from hijacking >> my web form with a script and posting to it a zillion times. It's a >> form script that emails the form content. I've been able to prevent >> more than one email per post, but would also like to limit the >> number >> of posts per user IP per hour. Maybe I could write to a MySQL table >> and count the entries per hour from a given IP. So the table does >> not >> get full I could empty it daily. >> >> Ideas? >> >> Sincerely, >> Mike >> -- >> Mike Brandonisio * Web Hosting >> Tech One Illustration * Internet Marketing >> tel (630) 759-9283 * e-Commerce >> [EMAIL PROTECTED] * http://www.jikometrix.net >> >> JIKOmetrix - Reliable web hosting >> >> > > > Community email addresses: > Post message: php-list@yahoogroups.com > Subscribe: [EMAIL PROTECTED] > Unsubscribe: [EMAIL PROTECTED] > List owner: [EMAIL PROTECTED] > > Shortcut URL to this page: > http://groups.yahoo.com/group/php-list > Yahoo! Groups Links > > > > > > > > Community email addresses: Post message: php-list@yahoogroups.com Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
