On Wednesday 01 May 2002 04:05, Cal Evans wrote: > Generate a random number when creating a form, store it in the session and > in a hidden on the form. Then when the post comes back, make sure the > hidden is there and that it matches the one in the session.
But the flaw in that is if the nasty user was determined, there's nothing to stop them from: 1) looking at the source of the legitimate page 2) grabbing the 'hidden' value 3) creating their own form along with that hidden value 4) opening a new window 5) loading their own form and submit away. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* People say I live in my own little fantasy world... well, at least they *know* me there! -- D.L. Roth */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php