|
Posted by Ken Robinson on 09/14/05 17:52
cmcnaught wrote:
> Just in case anyone else is looking at this with the same problem...
> What I decided to do to be pretty sure the processing page is being
> called from my form (not a fake one with a bcc injection) is to add
> hidden variables to the form that are derived from manually form
> entered variables and filled in after the submit button is pressed.
> This could be as simple as posting a string length variable for each or
> some of the input values and then checking this in the form
> processor/emailer page script. Or generate a key from the input in the
> form and compare it with a key generated by the processor page. This
> would be pretty hard to circumvent by any non-manual method.
> Any other ideas would be appreciated.
> cj
I assume you're doing this with javascript. If you are, then the
spammers will see your code if they screen scrape, which they seem to
have done in my case. Here's what I'm now doing:
<?
foreach ($_POST as $k=>$v)
if (strpos($v,'Content-Type:') !== false) { // loop through all POSTed
content looking for the string 'Content-Type:'
//
// Mail tracking code removed (I email a tracking email with
information back to myself)
//
header("HTTP/1.0 404 Not Found"); // issue a 404 - page not found.
Maybe this will stop the spambots from retrying my form every few hours
}
if (isset($_POST['submit']) && ($_POST['submit'] != 'Send Request')) {
// check that the value passed by the Submit button hasn't been
compromised
//
// Mail tracking code removed (I email a tracking email with
information back to myself)
//
header("HTTP/1.0 404 Not Found"); // issue a 404 - page not found.
Maybe this will stop the spambots from retrying my form every few hours
}
?>
Ken
Navigation:
[Reply to this message]
|