On Wednesday 01 May 2002 04:05, Cal Evans wrote:
> Generate a random number when creating a form, store it in the session and
> in a hidden on the form. Then when the post comes back, make sure the
> hidden is there and that it matches the one in the session.
But the flaw in that is if the nasty user was determined, there's nothing to
stop them from:
1) looking at the source of the legitimate page
2) grabbing the 'hidden' value
3) creating their own form along with that hidden value
4) opening a new window
5) loading their own form and submit away.
--
Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
/*
People say I live in my own little fantasy world... well, at least they
*know* me there!
-- D.L. Roth
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
