On Wednesday 01 May 2002 04:05, Cal Evans wrote:
> Generate a random number when creating a form, store it in the session and
> in a hidden on the form. Then when the post comes back, make sure the
> hidden is there and that it matches the one in the session.

But the flaw in that is if the nasty user was determined, there's nothing to 
stop them from:

1) looking at the source of the legitimate page
2) grabbing the 'hidden' value
3) creating their own form along with that hidden value
4) opening a new window
5) loading their own form and submit away.

Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

People say I live in my own little fantasy world... well, at least they
*know* me there!
                -- D.L. Roth

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to