>> method left me vulnerable to tampering, I am not sure what you are trying to accomplish. It seems rather vague. Are you trying to prevent people from submitting their own forms to your site?
G? On Thu, Jun 11, 2009 at 5:27 PM, Byte Me <[email protected]> wrote: > > > Since the form submit won't inherently send the 'type' of the field > > that was sent, you could use a method of naming your fields according > > to the type of form field that was used. eg. <select > > name="sel_state"><option>... > > or <input type="text" name="txt_Name_First"> > > or <textarea name="tarea_comments"> > > > > Just a thought. > > > > William > > That's what I had been doing, but I realized that this method left me > vulnerable to tampering, since keywords in the field name are sent to the > user. The keywords could be changed, thus bypassing the validation. I now > realize, from the responses above, that saving the name and type (on the > server, in a session variable) is the answer. I can continue to used coded > field names, but also do a comparison of what was sent, to what was > returned, and if anything was changed in the field name, I can simply abort, > better yet, I will know that there was an attempt to tamper with the form, > and I can block the IP (for an one hour, five hours, a day, etc., etc.). > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323431 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
