> are not on the same server, namely spammers. I wrote this
> simple script that will work in conjunction with my other
> form validation scripts to ensure a referrer comes from the
> same CGI.HTTP_HOST.
This can't stop anything. Both HTTP_HOST and HTTP_REFERER are set by the
browser, and can be changed by anyone writing an HTTP client:
<cfhttp ...>
<cfhttpparam type="header" name="Host" value="...">
<cfhttpparam type="header" name="Referer" value="...">
</cfhttp>
You can take steps to make it more difficult to submit data to your action
pages, but it's hard to make it impossible. For example, you could generate
a random number when someone requests the form, and require that number when
data is submitted to the action page.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
