PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

In Case You Missed It...The Month of July
Pro PHP Security: Preventing SQL Injection
PHP Designer IDE Review
Creating a Printer Version � Grab Method
Storing Data in the Client

Sr. Web Developer
mediabistro.com
US-NY-New York

Post A Job | Post A Resume

Comments for: ian_gilfillan20060412

Message # 1510133:

Date: 07/19/07 00:17
By: Stephen
Subject: limitations of vanesca's approach

This is a great article and will be very helpful to me... I didn't know how mail forms could be exploited, and now I do! Or at least, I know a lot more than I did.

I want, however, to point out a limitation in vanesca's alternative approach (which is basically a "token" strategy). The problem with vanesca's script is that confirming that somebody is coming from a specific page doesn't mean that they can't alter their scripts to always visit that page first before visiting your email submission page.

I.e. if you have a page:
contact.php
and another page:
contact_submit.php

Assume contact.php has the form that you fill out, and the form's "action" is contact_submit.php. So... you can confirm that they are coming from contact.php, but that alone doesn't prevent their computer from visiting contact.php 100,000 times in rapid succession and just submitting the form from there. It is just a bit more difficult.

However, if you did this in combination with CAPTCHA images, they would have to crack the CAPTCHA to use your form.

Either way, if you validate the form submission server-side the way described here, they may find it impossible to use your form for spam even if they crack the CAPTCHA. That is why the approach described here is useful.

Previous Message | Next Message

Comments:
inperfect is_valid_email function	Constantin	12/10/08 06:39
RE: Mi emails reach spam box	Boris	09/18/08 20:34
PHP & database	Aman	07/04/08 01:54
Coad not working	Mobarak ALi	06/01/08 10:03
Call PHP when receiving an email on server	Lorenzo	05/17/08 18:50
Mi emails reach spam box	Raul	05/16/08 16:08
Hardened Email Forms	Pops TX	03/27/08 18:58
RE: how can I see a copy of spam being sent ?	Peter Quast	01/07/08 23:31
limitations of vanesca's approach	Stephen	07/19/07 00:17
help me on registration to email	atq	06/26/07 19:58
Another Correction	Ron	06/26/07 04:42
HELP!!!!	Danny Wright	06/19/07 16:51
A different methode	vanesca	06/15/07 01:45
dodgy_string	Alan	05/09/07 14:20
Script Correction	Spudchat	04/28/07 21:35
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly. Add A Comment: Name: Email: Subject: Message: To reduce spam posts, messages are now manually approved You are not [logged in]. That means your account will not get credit for this post.

Comments for: ian_gilfillan20060412

Add A Comment: