Posted by Kevin D. on 02/11/06 02:08

"Gordon Burditt" <gordonb.uuy7r@burditt.org> wrote in message
news:11uqa7881lh7l51@corp.supernews.com...
> >can a script like this be modified to *know* that the form is being
>>sent from one's own site?
>
> A form submission is sent from a BROWSER, not a server. If you
> can't trust the browser, you can't be sure where the form came from
> (REFERER might work, although it's trivially spoofed and
> often removed by proxies).
>
> Is it possible to make a vest that will protect me against
> everything but my own gun? Maybe, but I'd think you're better
> off protecting yourself against guns regardless of whether
> it's your stolen gun or not. People can put crap data
> into your form easily.
>
> Gordon L. Burditt

when it really comes down to it, i agree with gordon... forget where the
data is coming from and just verify the contents of it (he may not be saying
to completely ignore the origin of the data)

i think that's all you can really do, every other attempt to verify that the
data is coming from your own server seems futile (it's too easy to spoof and
doesn't really accomplish much even when it works)

[Back to original message]