>What's to stop me from using CFHTTP to request the form, find out the
>CFID/CFTOKEN values for the Client variables, then use CFHTTP to post >data to the action page along with the matching CFID/CFTOKEN?
Nothing, but I'm curious to see if anything can be done. Against a multi-step attack like that, I don't think anything can stop a 'foreign' post other than the type-in-what-you-see-in-the-box box bit.
Serves to point up the importance of data validation.
--
-------------------------------------------
Matt Robertson, [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------
--
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
