>> Part of the verification in the processing can be reliant upon something >> executing in JavaScript and being passed in with the form submission.
While I do not disagree with your statements anything that is part of the form data that can be generated by JavaScript can be submitted without it by, as you said, capturing a "real" form submission and then simulating it. The final protection has to be server side because you cannot rely on the data sent by the client. >> The idea with these kinds of protections is to make it sufficiently inconvenient >> for an attacker to go to the trouble and move on to the next guy who is easier to exploit. >> Abuse can be a hard problem to solve. Very! It is almost always proportional to the potential gain of the abuse. In Rick's case there is a fairly high financial gain to be had by the verification of credit card numbers. Like you we had a donation page for a client and they too were getting a large number of abusive submissions until we but it behind a signup/login page that required a valid email address and a easy to read captcha. In that case it solved the issue and they had no more problems but then they were clearing the CC numbers manually so there was always human oversight. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354497 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
