|
|
Posted by Peter Fox on 11/11/06 09:44
Following on from J.O. Aho's message. . .
>Matthew Wilson wrote:
>> "J.O. Aho" <user@example.net> wrote in message
>> news:4rjiogFrvinbU1@mid.individual.net...
>>
>>> Just add another input of text type (you can name it what ever you want,
>>> say fun), you random two values and make another input of hidden type (you
>>> can call it what ever you want, but not the same as the previous, say
>>> real), then on the script where you receive the form you compare the two
>>> values
>>
>> That's great but a little complex for our needs. The actual capture form is
>> HTML, only the receive script is PHP. Can you offer a simpler version which
>> just expects the number "5" rather than random numbers?
>>
>> Here is the format we follow, and the relevant field that expects a 5 is
>> "human":
>
>The drawback with using a fixed value is that the spammer can adjust his
>script to enter the value 5, so they would have a bit more work if the value
>is random the best is really to store things in a session, show a disorted
>image and ask what it says on it and compare the values from the session and
>from the form.
>
> //Aho
There is another very good reason for generating forms in PHP:
Mr.Spammer's friend finds a suitable form, and passes /the form/ to Mr.
Spammer. Mr. Spammer doesn't sit at IE typing in spam does he? He
hacks the GET or POST request that a browser would send. This is
something that any script-kiddie could do.
So how do you conquer that? It's no good you having
<pseudo code>
// prepare form in PHP
R := Random number
S := SpecialFunction(R)
form.hidden.fieldR := R
form.instruction := Please type S to validate
// validate submitted form in PHP
R := POST[fieldR]
Sform := POST[fieldS]
Sneeded := SpecialFunction(R)
If(Sform <> SNeeded){ // bad form ...
</pseudo code>
Why is this no good? Because the same form can be reused time and time
again where R and S never change from the first time they were served.
So you need to give your forms a 'unique' request number and store that
in the session ready to match with a submitted form. For example:
<pseudo code>
// prepare form in PHP
R := Random number
SESSION[R] := R
S := SpecialFunction(R)
form.hidden.fieldR := R // 'hidden' is cosmetic only
form.instruction := Please type S to validate
// validate submitted form in PHP
Rform := POST[fieldR]
Rneeded := SESSION[R] // fetch from session
ClearFromSessionArray(R) // this is single shot!
if(Rform<>Rneeded){ ... hacking or double submit ...->}
Sform := POST[fieldS]
Sneeded := SpecialFunction(Rneeded)
If(Sform <> SNeeded){ // bad form ...
</pseudo code>
This doesn't deal with other problems especially those who GET the form
fresh each time but you have made a start in the right direction.
--
PETER FOX Not the same since the bridge building business collapsed
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
Navigation:
[Reply to this message]
|