Posted by Gordon Burditt on 02/11/06 00:32

>as the OP, i'm trying to protect against everything. while i hadn't
>thought about bots, i had thought of a criminal minded dr evil computer
>genius trying to hack my forms out of spite. while this is an unlikely

The approach of putting tokens on forms does nothing to protect
against users using a browser to pull up your form and put a bunch
of crap in it. It also does nothing to protect against smart bots
that can rapidly emulate what the aforementioned user does manually.

>scenario, i like to do things right, if i can.
>
>it seems to me one has to...
>
>1. verify the submittal page is the correct one...
>2. verify that the "salted" session variable from the submittal page is
>the same as the one received.
>
>based on responses, though, i'm thinking there is no way to do #1 with
>certainty (referrer can be spoofed). w/o #1, #2 doesn't mean too much.
>
>is that about it?

Ok, what happened to 3. *FORGET* about (1) and (2), and verify
that the submitted DATA, whereever it came from, is correct. This
would include stuff like not allowing carriage returns and line
feeds in text that will be included in email headers. Using YOUR
forms won't protect you when someone malicious fills them in.

Well, actually, (3) alone may not keep the web site operator sane
because someone can find some valid data and submit it a few million
times a week, which if it generates email to the operator, would
make his mailbox pretty useless.

Gordon L. Burditt

[Back to original message]