|
|
Posted by frizzle on 03/13/06 11:04
Peter Fox wrote:
> Following on from fiziwig's message. . .
> >What is the usual procedure for validating members to prevent bots from
> >"registering"? Membership number (auto-indexed) is kind of a status
> >thing, so we don't want the primo low numbers to get chewed up by bots
> >before the site even goes live for the rest of the membership. How can
> >I keep them out?
>
> Err... Validate _every_ input _always_.
> Look up SQL injection
>
> BTW Data field s are cheap : You're causing more work by trying to use
> low-numbered membership IDs as a status flag.
>
>
> --
> PETER FOX Not the same since the pancake business flopped
> peterfox@eminent.demon.co.uk.not.this.bit.no.html
> 2 Tees Close, Witham, Essex.
> Gravity beer in Essex <http://www.eminent.demon.co.uk>
AFAIK this has nothing to do with SQL injection, because this would
abuse the queries used to insert users etc, which isn't the case now.
IMHO you have to search either for "CAPTCHA", a system with an image
with some sort of text in it, in the registration form wich cannot be
read by bots, but can be read by humans
or
you could use membership validation by email: if someone registers,
send them an email with a validation code (which e.g. will expire in 24
hrs): they have to go back to your site, fill out the code, and then
they're registered. I don't expect any bot to follow that procedure ...
Frizzle.
Navigation:
[Reply to this message]
|