Doesn't this assume spammers/hackers know what the error checking involved, or is testing the HTTP_HOST and HTTP_REFERER just too common and spammers know to always try spoofing that one? With this wrapped in a CFTRY/CFCATCH block, even if the spammer tries to throw an error to see any underlying code expose, they will not be able to. I could just cflocation anyone away from that page and not show any error message if the HTTP_HOST and HTTP_REFERER don�t match. I guess I don�t want to make it hard for the legitimate user, but don�t want to make it too easy for the spammers either. If checking HTTP_HOST against the HTTP_REFERER is a big NO NO, then I�ll come up with something else.
>
>This can't stop anything. Both HTTP_HOST and HTTP_REFERER are set by the
>browser, and can be changed by anyone writing an HTTP client:
>
><cfhttp ...>
> <cfhttpparam type="header" name="Host" value="...">
> <cfhttpparam type="header" name="Referer" value="...">
></cfhttp>
>
[
Todays Threads]
[
This Message]
[
Subscription]
[
Fast Unsubscribe]
[
User Settings]
![]()
