> checking involved, or is testing the HTTP_HOST and
> HTTP_REFERER just too common and spammers know to always try
> spoofing that one? With this wrapped in a CFTRY/CFCATCH
> block, even if the spammer tries to throw an error to see any
> underlying code expose, they will not be able to. I could
> just cflocation anyone away from that page and not show any
> error message if the HTTP_HOST and HTTP_REFERER don't match.
> I guess I don't want to make it hard for the legitimate user,
> but don't want to make it too easy for the spammers either.
> If checking HTTP_HOST against the HTTP_REFERER is a big NO
> NO, then I'll come up with something else.
I'm neither a spammer nor a hacker in the pejorative sense of the word, but
I've written more than one application which submitted data directly to an
action page on another server and bypassed the form. To do this, I'd
typically run the form to see how it works, and I'd write my code so that it
sent the same data as the form did. This would include form fields as well
as HTTP request headers and cookies if necessary.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
