To stop people from inserting to your forms, you want to ID the incoming data and its origin. You can (and should) do a referer test, but someone who is serious can fake headers, so don't rely on it.
You can also set a session var on the form page, and hash that and set it as a hidden form var. Then compare the two on the other side of the fence. If no match on all tests then something is up.
<cflock scope="SESSION" type="READONLY">
<cfset session.myformID=createUUID()>
<input type="Hidden" name="myFormID" value="#hash(session.FormID)#">
</cflock>
<!--- ... --->
<cfset variables.isReferredOK=0>
<cfset variables.mybaseurl="http://foo.com">
<cfset variables.mysecureurl="https://www.foo.com">
<!---
did the post come from the base HRef?
--->
<cfif not CompareNoCase(Left(LCase(CGI.HTTP_Referer),Len(variables.mybaseurl)),variables.mybaseurl)>
<cfset variables.isReferredOK = 1>
</cfif>
<!---
did the post come from the secure HRef?
--->
<cfif not CompareNoCase(Left(LCase(CGI.HTTP_Referer),Len(variables.mysecureurl)),variables.mysecureurl)>
<cfset variables.isReferredOK = 1>
</cfif>
<cfif variables.isReferredOK and not CompareNoCase(form.myFormID,hash(session.FormID))>
... do your thing...
</cfif>
hope this helps,
--
-------------------------------------------
Matt Robertson, [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------
--
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
