Thanos,
Thank you for your reply.
My response to the suggestions you provided is as
follows:
> You can try (by personal order of preference):
> a) setting something completely random in the
> $Session object in the
> form's page and checking for its existence in the
> verify.asp. If it
> isn't there, reject the data.
If I make a session variable like this:
$Session->{SomethingRandom} =
"Qty_$itemCode=2&Qty_$itemCode=3......"
That could work. However can this session variable be
made on the same page as "products.asp" as soon as the
form "Submit" button is clicked? If yes please let me
know how.
> b) check the HTTP_REFERER and reject if it's not the
> one You're
> expecting (the page the form is in)
I will have to read more about this. I am not familiar
with this method.
> c) using POST instead of GET, so as not to worry
> about the amount of
> user input (and making it a little more complicated
> to ``fabricate'' a
> request by hand).
The problem with POST and GET method is I will have to
name each form variable. This is not possible in my
case as I am naming the variables as "Qty_$itemCode"
where $itemCode comes from the "products" database and
I expect it to change very often. I think I understood
right what you were saying however if I missed the
point let me know.
> d) obfuscating the form input, so as not to make it
> so obvious.
No. There is no limitation of obfuscation. There is
always a possiblity of someone outsmarting you.
> e) accepting form input only from trusted sources
> (ie registered and/or
> authenticated users).
Well on most ASP sites I visit (and even like to
visit) you can always see their products page first
even without registering at the site. Sometimes start
shopping and register when you are "Checking Out". I
would like to keep it the same. Later on every page
can be visited only by registered users.
> f) IP address restriction (kinda like defeats the
> purpose of the web,
> don't it ?)
I think too its not a practical solution.
> g) any combination of the above.
So please expand on your suggestion "a".
Please try to answer the question I have related to
suggestion a.
Thanks,
Kunal Parekh.
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
