|
|
Posted by Jerry Stuckle on 11/14/59 11:21
Robertico wrote:
> I'am intersted in a solution to create a "spam" secure mailform.
> I read about domain checks but they use the $HTTP_REFERER and imo thats not
> 100%.
> As the manual mentioned :"The address of the page (if any) which referred
> the user agent to the current page.
> This is set by the user agent. Not all user agents will set this, and some
> provide the ability to modify HTTP_REFERER as a feature.
> In short, it cannot really be trusted."
> Also read something about sessions. But whats the best (secure as possible)
> way to prevent using the mail form outside my domain.
>
> Robertico
>
>
Don't use hidden fields to contain the address. Rather, use a select box to put
some key value in the form and use a separate configuration file or database.
For instance, you might have:
<select name="destination">
<option value="webmaster">Webaster</option>
<option value="custsvc">Customer Service</option>
<option value="sales">Sales</option>
</select>
Once you've validated the input, look up the selected value in your database or
config file and send the mail.
As a seconday bonus you don't have email addresses in the web form for the spam
'bots to find. Anyone will be able to use your form no matter where they came
from - but they won't be able to send to anyone except those *you* define.
Also - you can build the options dynamically depending on what's in the database
or config file. Makes it much easier.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|