Posted by Mazin07 on 09/20/05 05:21
Justin Koivisto wrote:
> cmcnaught wrote:
>
>>Hi,
>>I have a form processing script which sends an email in response to a
>>(separate) form submittal. All the input validation is done client
>>side javascript. Recently the processing script has been hijacked by
>>someone calling it with random email addresses in $_POST['email'] thus
>>generating a lot of spurious email spam. I can think of a few ways to
>>reduce the possibility of this but I'm posting this to see if I can get
>>some ideas on the best way to secure. I'd like to check the processing
>>page was called from the form page but I understand that
>>$SERVER['HTTP_REFERER'] is not reliable. Hidden variables are easily
>>revealed, I'm thinking of using a cookie or a session id. Any
>>comments/ideas?
>>cj
>>
Many sites use the typical picture challenge, with the obscured random
text. That is probably an easy solution. It's not hard to call up GD
and mess up an image.
Don't use javascript check.
[Back to original message]
|