> > * Check the form was actually submitted from within the > site? Perhaps via CGI. although I'm sure that may have issues as well. > > CGI.HTTP_REFERER can be spoofed quite easily.
What I did for this was generate a session variable on the form page, and then check for it in the processor. This doesn't work if users have cookies turned off, but they won't be able to submit the form anyway unless they turn them on. Anti-cookie people are paranoid freaks, anyway. ;) The more we talk about it, the more I think using these 3 things might be the killer solution: 1. Session var to verify submission came from the form 2. Hidden empty form field, to throw off spammers that auto-fill all fields 3. Time difference between form load time and submission I just thought of another problem with #3, though. A lot of people use form auto-fillers, like the google toolbar. If your form is simple enough that their autofill gets all the data, they'll submit the form too fast. "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ============================================================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:260410 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
