On Fri, 13 Aug 2004 15:36:34 -0400, James E Hicks III <[EMAIL PROTECTED]> wrote: > On Friday 13 August 2004 02:57 pm, Gerard Samuel wrote: > > I've read (at least on 2 occasions) that one can secure their forms, to > > ensure that the form came from the site, and not via a script kiddie. > > Not the method where one puts a graphic of random text to copy to the > > form, but via a hidden field. > > It has to do with having a hidden field of data, that must match some > > data, when the form is posted. > > I've been mulling over this for some time to figure out how its > > possible, (as I haven't seen a live example of it). > > Could anyone point me to an example to how this can be done, (if its > > even possible)??? > > Thanks for your input... > > I think you're looking for something like this, but be warned things like > HTTP_REFERER are/can be set by the client so you can't really trust this too > much. > > if ($_SERVER['HTTP_REFERER'] != 'http://domain.com/I/AM/EXPECTING/script.php') > { > echo ("Dang Script Kiddie Go Away!"); > exit; > } > > Probably better is to include, like you said, a hidden variable on the page > that would be very hard to guess in the form before presenting it to the user > and also save it in a database or somewhere. Then when the user submits the > form check your database for the existence of the super hard to guess value. > If it exists in the DB, delete it and let the user go about her business. If > it doesn't then: > { > echo ("Dang Script Kiddie Go Away!"); > exit; > } >
Of course, you can then use somehting like HTTP_Client to both get the REFERER right and parse the HTML to get the hidden field you need. There is no sure-fire way to check for non-humans. You can use CAPTCHA, but there are programs to break those, too. ;-) CAPTCHAs are actually your best bet. -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
