Posted by Gordon Burditt on 02/11/06 00:03

>> What exactly are you trying to protect against here? You can protect
>> against stupid bots that just have the formula for what to submit
>> for your form, and just keep re-using it. Malicious humans operating
>> manually are going to be able to get around it easily.
>
>What am I protecting? Well, this is only a first line of defense for me.
>From there, I compare vars that were submitted with ones that I expect
>as well as filtering or validating the data for those vars. At first, it
>was used prevent those darn spam bots from submitting all my forms and
>sending me email without hindering an actual user. Again, this was/is
>used in combination of other defense mechanisms as well.

No, I asked what you were trying to protect *AGAINST*.
The answer seems to be "stupid bots sending in corrupt data", since
humans actually going to your page and putting in malicious data
won't be stopped by it, nor will smarter bots that can keep a session
cookie and emulate the action of a browser.

I think you need to work on making your code bullet-proof no matter
WHOSE form is submitted to your server, and obviously you're
validating input which is an important part of that.

Gordon L. Burditt

[Back to original message]