Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Email spam - possible problem.

One of the ways to protect an email form is to force the user to submit using a valid form. I do this like so, when the user visits the form the script creates the token and adds it as an invisible field to the form. When processing the submission the script looks for this token and verifies that it is still valid (this could be a file on the server, session variable, or database entry) and if it isn't valid I deny the input. This prevents a script from just dumping values onto your send email script (which is probably the source of the spam). 

I should point out that I delete the token after it is used once.

This doesn't totally protect your script but is usually enough to hold things back. Basically this works like a machine readable captcha. Which of course really just ads another step for someone writing a script to have to contend with. However, since it forces a script to request a token and then submit some data you end up with a LOT of log entries for their IP address, something which is fairly easy to notice.

It should be noted that there is no real way to make a script "totally secure" rather you can only make it more secure. You have to decide what an appropriate level of security is. Investigate your script looking for possible holes. One of these would be using request values where hard coded or server side variables could work just as well. Another possible hole would be using the eval function or including files based on a submitted value. In my situation I find some scripts are sufficiently protected just by checking the HTTP_REFERRER value while others require an authenticated user or even some web server level protection (i.e. .htaccess).
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Web-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/web-dev/email@hidden

This email sent to email@hidden
References: 
 >Email spam - possible problem. (From: Mark Wheeler <email@hidden>)
 >Re: Email spam - possible problem. (From: Errol Sayre <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.