|
Posted by Bob Smith on 10/14/60 11:22
Jerry Stuckle wrote:
> Bob Smith wrote:
>> Jerry Stuckle wrote:
>>
>>
>>
>> Well, that is not 100%...for example a script can easily send the
>> destination=whatever simply in a get command with telnet or custom script
>> that connects to port and host and gets/posts the form.
>
> Nope. Because the destination is not taken from the form. Only a key to
> a list of predefined destinations is in the script.
>
> For instance - they could say "destination=1" which might send to customer
> service. But they could not say "destination=youvegotspam@example.com"
> because that will not be found.
>
>> there are a couple of things you might want to do to make it harder for
>> the spammers:
>> 1)set a cookie with timestamp + host + ip + browser ( etc...) and check
>> teh existence and validate the cookie upon script run
>> 2)check the cookie of the one requesting the form in the first place and
>> save that in the cookie, if no cookie when the script submission is
>> carried out:or error arguments in it:spammer
> > Greger
>
> Cookies can be falsified, and it doesn't take a lot of looking to figure
> out
> what you use in a cookie. Additionally, this method doesn't work if the
> client has cookies turned off.
I'd ideally put a cookie in a md5 thingy, to protect the data from being
visual to the user, ...then it is more difficult to figure out what is
actually in there. simply unpack and validate upon script run.
Naturally, there is no way to make forms 100% secure...
>
> Depending on cookies is NOT secure - and can be aggravating to valid
> users.
>
>
--
http://www.kolumbus.fi/bob.smith
Navigation:
[Reply to this message]
|