simple javascript [write('<code>'); ] will solve this. :)
This is no good unless you're saving the value server side somewhere. With this method, I can still post to your page from anywhere, so long as I set the two variables the same.
Who cares if the data came from your page, just validate it!
No matter what you do, it can be defeated. Even if you come up with a random code, store it in the database, place it on the page, and make sure they match, all I have to do is write my PHP script so it requests your page, matches the code, and then generates a couple hundred posts based on that code. Or it can just run through a loop of request, match, post and do it hundreds of time a second.
---John Holmes...
Sure, but it _costs_ something, I mean, you have to spend time or money or both to do this. So if this is as important as you do it, for your oponent it must be little more important to fight it. In this case, webmasters acquisitions must "cost" little more than an attacker is agreeable to spent on it. :)
-- Mirek Novak jabber: [EMAIL PROTECTED] ICQ: 119499448
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
