There's been a lot of discussion on this topic in the past. You can check
the House Of Fusion archives for them.
In general, the best method I've heard of is dynamically generating a unique
value on form display that needs to be submitted to the form processing
page. Basically, when the user first requests the form, generate a unique
value and store it in a hidden field of the form or in a cookie. Also store
the value on the server (SESSION, database, etc.). When the form is
submitted, compare the form/cookie value to the server-side value. This
ensures that the form used to submit to your site is your own form and not
someone else's.
--
Mosh Teitelbaum
evoch, LLC
Tel: (301) 942-5378
Fax: (301) 933-3651
Email: [EMAIL PROTECTED]
WWW: http://www.evoch.com/
Donnie Carvajal [mailto:[EMAIL PROTECTED] wrote:
> So, any ideas on the best way to keep outside sites from submitting my
> forms?
Mosh Teitelbaum [mailto:[EMAIL PROTECTED] wrote:
> > The "Referer" header is optional. HTTP Clients are not required to send
the
> > header or, if they do, are not required to be truthful about the data
> > specified by the header. Additionally, a lot of systems along the path
of
> > the HTTP connection (firewalls, gateways, etc.) can strip the header
before
> > it reaches your server. In short, don't rely on the HTTP_REFERER value.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
