Swear filtering is easy, I want to know how to make sure the data is coming from MY form....I'm just picky like that. :-)
Hi,
I've done it via a "ticket" system
- into my form I've added field
<input type="hidden" name="ticket_to_ride" value="<32-byte long generated ticket>">
- store the ticket number in database (optionally) with TimeToLive
- when POST comes, check ticket number with this stored in db
- if found and (optionally) within TTL, then you've got POST from your FORM
- then delete it from db - attacker must get fresh form with new ticket and must do it within TTL
- ticket can be generated via MD5
another way is to add into your page JavaScript (I've seen somewhere) version of MD5 routine and into hidden field add checksum of fields ....
and on arrival revalidate it.
of course this is not bullet-proof, but this is way how to make it hard for anybody to fake POST. You can make variations of this for example interleave your form with different tickets and into db store only checksum (MD5) of them, then it becomes nearly impossible to fake form.
HTH -- Mirek Novak jabber:[EMAIL PROTECTED] ICQ:119499448
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
