Posted by cmcnaught on 10/20/59 11:26
Hi,
I have a form processing script which sends an email in response to a
(separate) form submittal. All the input validation is done client
side javascript. Recently the processing script has been hijacked by
someone calling it with random email addresses in $_POST['email'] thus
generating a lot of spurious email spam. I can think of a few ways to
reduce the possibility of this but I'm posting this to see if I can get
some ideas on the best way to secure. I'd like to check the processing
page was called from the form page but I understand that
$SERVER['HTTP_REFERER'] is not reliable. Hidden variables are easily
revealed, I'm thinking of using a cookie or a session id. Any
comments/ideas?
cj
Navigation:
[Reply to this message]
|