Addressed to: "Boget, Chris" <[EMAIL PROTECTED]>
[EMAIL PROTECTED]
** Reply to note from "Boget, Chris" <[EMAIL PROTECTED]> Thu, 1 Mar 2001 14:26:16
-0600
>
> ------_=_NextPart_001_01C0A28D.E2F45248
> Content-Type: text/plain;
> charset="iso-8859-1"
>
> It is possible (I've done it) to find out all the variables
> that make up a form on a particular site, generate a
> similar form on your site with that form's action being
> the CGI/PHP script that the particular site uses to process
> the form once submitted, modify the values for the form
> variables to be anything you want and submit the form
> that resides on your site. This will basically submit totally
> fabricated data to the foriegn site and possibly screw them
> up somehow and/or in some way.
>
> Is there any way to defend against this? Is there any way
> to ensure that when a form is submitted that the submission
> request originated from your site/domain and not somewhere
> else?
No. There is no way to tell a clever programmer from a live human on
the other end of an Internet connection. You may be able to make it
harder, say making sure your form page is hit before the results are
returned, but that is easy to defeat.
Rick Widmer
Internet Marketing Specialists
http://www.developersdesk.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
