Greg Schnippel wrote:
Has anyone developed a really good defense against email injection attacks?
I've implemented a complex algorithm to help prevent this problem. Every form I have has a text field with a random name surrounded by the text... "If you are human please enter 'human' (without quotes) in this box: ________. If you do not then your request will be ignored under the assumption that you are an automated system." The PHP then checks that there is a field that contains the word 'human' and nothing else. If it does not it dies with a very short message describing what they did wrong and that they should go back and try again. You could enhance it by changing the text that's expected, or all of the text that surrounds the box.
So far it's worked perfectly, and it makes people chuckle rather than annoyed which solutions like captcha appear to do.
Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
