If you are really that strict about it coming from you site, have your form page create an image with five letter of number on it - like 4Y6O7. Have it create a new one each time. Then use crypt to encrypt it and put the encrypted one into a form value, have the person that is submitting the form type that into a form box. After they submit it, crypt what they entered and check it against the hidden variable.
This is almost full proof - using Mcrypt would be better. This is sorta what you have to do when registering eith slashdot. -----Original Message----- From: Mirek Novak [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 9:43 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Hacker problem Importance: Low [EMAIL PROTECTED] wrote: > Swear filtering is easy, I want to know how to make sure the data is > coming from MY form....I'm just picky like that. :-) > Hi, I've done it via a "ticket" system - into my form I've added field <input type="hidden" name="ticket_to_ride" value="<32-byte long generated ticket>"> - store the ticket number in database (optionally) with TimeToLive - when POST comes, check ticket number with this stored in db - if found and (optionally) within TTL, then you've got POST from your FORM - then delete it from db - attacker must get fresh form with new ticket and must do it within TTL - ticket can be generated via MD5 another way is to add into your page JavaScript (I've seen somewhere) version of MD5 routine and into hidden field add checksum of fields .... and on arrival revalidate it. of course this is not bullet-proof, but this is way how to make it hard for anybody to fake POST. You can make variations of this for example interleave your form with different tickets and into db store only checksum (MD5) of them, then it becomes nearly impossible to fake form. HTH -- Mirek Novak jabber:[EMAIL PROTECTED] ICQ:119499448 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
