> If you are really that strict about it coming from you site, have your form > page create an image with five letter of number on it - like 4Y6O7. Have it > create a new one each time. Then use crypt to encrypt it and put the > encrypted one into a form value, have the person that is submitting the form > type that into a form box. After they submit it, crypt what they entered and > check it against the hidden variable. > > This is almost full proof - using Mcrypt would be better. This is sorta what > you have to do when registering eith slashdot.
This is no good unless you're saving the value server side somewhere. With this method, I can still post to your page from anywhere, so long as I set the two variables the same. Who cares if the data came from your page, just validate it! No matter what you do, it can be defeated. Even if you come up with a random code, store it in the database, place it on the page, and make sure they match, all I have to do is write my PHP script so it requests your page, matches the code, and then generates a couple hundred posts based on that code. Or it can just run through a loop of request, match, post and do it hundreds of time a second. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
