----- Original Message -----
From: "Greg"
> --- In [email protected], "Bob" <[EMAIL PROTECTED]> wrote:
>>
>> Add a random $_GET number to your contact-me website link, and
> compare it with a session that is also sent.
>
> Can you expand on that a little?
Hi Greg,
I've found a much better solution now, than the above.
As most remote posting now comes as a double hit, the 1st entering by the
correct link.
The 2nd, usually within a second or 2 (possibly a refresh or something) with
all your form $_POST variables set.
This defeats most protection comparing a session variable to a $_GET variable,
or anything else you try to do.
<?php
session_start();
// Compare actual time with the time set by your form.
// If less than 4 seconds, error!
// Then use a session variable to see if this is the 1st pass.
// If it is and any $_POST is set, error!
if (isset($_POST['system']) && time()-$_POST['system'] <= 4)
{
reportError('Double Hit', 'Exit');
}
elseif (!isset($_SESSION['firstpass']) && $_POST)
{
reportError('Preset Posts', 'Exit');
}
$_SESSION['firstpass'] = 'Set';
// Input validation etc and whatever else you need here.
// Set a session var = to a random value.
$_SESSION['sessId'] = $formId = dechex(mt_rand());
<input type="hidden" name="formId" value="<?php echo $formId; ?>" />
<input type="hidden" name="system" value="<?php echo time(); ?>" />
// If the $_SESSION['sessId'] doesn't match the hidden $formId, error again!
There is so much more I use (including a [EMAIL PROTECTED] and swear filter),
but now comes the best part!
I tried all sorts then just happened to try this.
In my error function($error, $flag)
if ($flag == 'Exit')
{
session_unset();
session_destroy();
header('Location: http://No-Spam-Thanks.OK');
exit;
}
As you can see, this is a non-existant location.
It throws a spanner in the works of an automated list.
I was on at least 3 automated lists, and as soon as I tried this 2 days ago,
all attempts immediately stopped, and non since!
Regards, Bob E.
