Posted by R. Rajesh Jeba Anbiah on 03/23/06 07:56

Jerry Stuckle wrote:
> Chris Shiflett wrote:
<snip>
> Go back and look at the original problem:
>
> "I've been trying to come up with a way to ensure user input is coming from the
> form on my site, and not auto-submitted from elsewhere, and I don't want to use
> the "enter the code shown in the image" method. I know the
> $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of doing
> something similar to this: <snip>"
>
> And Chung's response:
>
> "<snip> A check on HTTP_REFERER is actually sufficient too, since ordinary
> users aren't going to be spoofing the Referer headers."
>
> This is the statement I was arguing. And it's something which can be done quite
> easily. And the code for it is actually quite simple.
<snip>

FWIW, I also think, by "auto-submitted" OP actually meant bots (not
CSRF) as he is also referring Captcha.

Anyway, glad to see Chris here in c.l.php; we have one more security
expert here now along with Chung.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

[Back to original message]