[nycphp-talk] form spoofing
inforequest
1j0lkq002 at sneakemail.com
Tue May 1 12:47:37 EDT 2007
Hi Michael.
Can you think of any good reason to accept a submission via a known open
proxy? You can grab a maintained open proxy list and use it for a while
Rolan-style... to tag potential spam as an experiment. Every market is
different, but in the tech world I see no valid reason to accept
connections from known open proxies (they are always spam). As a
competitive SEO, I know of no easier way to automate web connections
than via open proxies.
Bot nets are still a problem and all the big boys use them so maybe get
used to a little spam here and there as well.
-=john
Michael Southwell michael.southwell-at-nyphp.com |nyphp dev/internal
group use| wrote:
> I thought I was following best practices (
> http://www.nyphp.org/phundamentals/spoofed_submission.php ) in
> creating a comment form for a restaurant client (There is no security
> issue here; the comments are emailed):
>
> I stored a random token in the session:
>
> session_start();
> if ( ! isset( $_SESSION['secret'] ) ) $_SESSION['secret'] = uniqid(
> rand(), TRUE );
>
> I hid that token in the form:
>
> <form action="comments.php" method="post" onSubmit="return
> checkForm(this)">
> <input type="hidden" name="secret" value="<?= $_SESSION['secret'] ?>" />
>
> Upon submission, I checked for the token:
>
> if ( $_POST['secret'] !== $_SESSION['secret'] ) die( 'invalid form
> submission' );
>
> But I still got obvious spoofed submissions, not very many of them,
> and all vapid and often nonsensical (a sample: "I consider that beside
> Your site there is future!"), but still maddening. So I added a
> five-minute timeout:
>
> if ( ! isset( $_SESSION['timeout'] ) ) {
> $timeout = time() + 5 * 60;
> $_SESSION['timeout'] = $timeout;
> }
>
> and checked for that as well:
>
> $now = time();
> if ( $_POST['secret'] !== $_SESSION['secret'] || $now >
> $_SESSION['timeout'] ) die( 'invalid form submission' );
>
> But this hasn't helped much; I still get a few of them, though I can't
> figure out how they can be generated. Any advice?
>
>
> Michael Southwell, Vice President for Education
> New York PHP
> http://www.nyphp.com/training - In-depth PHP Training Courses
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
--
-------------------------------------------------------------
Your web server traffic log file is the most important source of web business information available. Do you know where your logs are right now? Do you know who else has access to your log files? When they were last archived? Where those archives are? --John Andrews Competitive Webmaster and SEO Blogging at http://www.johnon.com
More information about the talk
mailing list