Re: Email spam - possible problem.

You need to make sure that a token only gets used once.

This could be a simple as unsetting it in the session once you verify it is a valid session.

unset($_SESSION['form_lock']);

This makes it necessary to view your form each time they try to submit data to your script.

On Nov 24, 2006, at 2:37 AM, Mark Wheeler wrote:

Hi Errol,

OK, I tried to go this route, and I'm not sure if I'm doing it right. Here's what I did. The form loads and this happens.

<CODE>-------------------------

session_start();

.

.

.

$token = md5(uniqid(rand(),true));

$_SESSION['form_lock'] = $token;

.

.

.

<input type="hidden" name="form_lock" value="{$token}">

</CODE>-------------------------

Then when the form is submitted, I check the hidden field against the session variable like so.

<CODE>--------------------------

session_start();

if (!isset($_SESSION['form_lock']) || !isset($_POST['form_lock']) || $_SESSION['form_lock'] != $_POST['form_lock']) {

   header("Location: elistCE.php?action="">

   exit;

}

</CODE>-------------------------

Is this how what you were speaking about? It works, but all a spammer would have to do is load the form, look at the source code, find the input tag with the token value, plug it into his script and he can get through. Now am I over simplifying this or doing it the wrong way (not how you do it)?

Thanks,

Mark

----------------------------

On Nov 21, 2006, at 11:28 AM, Errol Sayre wrote:

One of the ways to protect an email form is to force the user to submit using a valid form. I do this like so, when the user visits the form the script creates the token and adds it as an invisible field to the form. When processing the submission the script looks for this token and verifies that it is still valid (this could be a file on the server, session variable, or database entry) and if it isn't valid I deny the input. This prevents a script from just dumping values onto your send email script (which is probably the source of the spam).