Damn... you're right. I missed that key word "image". Sorry. But... and there's always a but, there are text recognition programs out there that'll read the text off of the image. So, usually the recommendation is to use varying font sizes and a textured background, so they will hopefully fail. You'd have to be protecting something good to really make this worthwhile, though.
And since the original question was for a shoutbox, I doubt you'd want to be creating an image for every post to a shoutbox. User registration, yeah, but not for a shoutbox. :) ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ > -----Original Message----- > From: Dennis Cole [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 8:54 PM > To: CPT John W. Holmes > Subject: RE: [PHP] Hacker problem > > A script cannot read a number from an image. > > -----Original Message----- > From: CPT John W. Holmes [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 5:01 PM > To: Dennis Cole; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Hacker problem > Importance: Low > > > > If you are really that strict about it coming from you site, have your > form > > page create an image with five letter of number on it - like 4Y6O7. Have > it > > create a new one each time. Then use crypt to encrypt it and put the > > encrypted one into a form value, have the person that is submitting the > form > > type that into a form box. After they submit it, crypt what they entered > and > > check it against the hidden variable. > > > > This is almost full proof - using Mcrypt would be better. This is sorta > what > > you have to do when registering eith slashdot. > > This is no good unless you're saving the value server side somewhere. With > this method, I can still post to your page from anywhere, so long as I set > the two variables the same. > > Who cares if the data came from your page, just validate it! > > No matter what you do, it can be defeated. Even if you come up with a > random > code, store it in the database, place it on the page, and make sure they > match, all I have to do is write my PHP script so it requests your page, > matches the code, and then generates a couple hundred posts based on that > code. Or it can just run through a loop of request, match, post and do it > hundreds of time a second. > > ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
