|
Posted by cmcnaught on 11/15/03 11:26
Thanks Gordon,
Good input.
This form input is not used for the database at present, in other areas
I use mysql_escape_string() or similar.
I think HTTP_REFERER can easily be spoofed
I am the reipient of the spam, the 'to' address is hidden, no problem
for anyone else, its the return address which is being randomized with
my domain name and posted into the form processor.
I want to avoid login for this application, I have several other sites
well protected with a encrypted password/session/cookie method.
I'm now thinking of a hidden variable which is filled in on the
onSubmit path from a javascript constant. That should make it a bit
harder to figure out with a script. Maybe concatenated from several
constants.
What do you think?
cj
Navigation:
[Reply to this message]
|