View Full Version : How to stop spookster? (Forms posting from off site)

04-09-2003, 08:12 AM
Lol, I've hit a brick wall.. Spookster has used is super powers to bypass my character limit settings from a form on his computer I presume.. Now I have set a letter limit in server side to stop him in his tracks no matter where the form is posted from but I'd still like to stop people (spookster first ;)) from being able to post to my processing page from their own forms.

HTTP_REFERER doesn't work.. So I've no idea how to do it. :confused:

PS: Thanks Spooks!/All hail spookster! ;):)

04-09-2003, 08:31 AM
lol Who me? :D Guess I will just have to find other holes to exploit. Muahahaha

04-09-2003, 08:33 AM
You'd better! It's good practice for me. :) Gunna tell me how to stop the forms?
[edit:] Plus in a day or 2 I should have something resembling a forum for you to break :D..

04-09-2003, 09:46 AM

instantiate a session var on the form entry side and test for it on the receiving side.

04-09-2003, 09:51 AM
Originally posted by Ökii

instantiate a session var on the form entry side and test for it on the receiving side.

Already have a plan of attack for that defense too.

Go ahead make my day. Do ya feel lucky punk? Well do ya? :D

04-09-2003, 11:28 AM
yup - shouldn't be too tricky to get around that one - 'tis one more obstacle in the way of peeps like you though :D

short of using a flash input field or java based interface all the lil tricks I can think of have subtle workarounds -

though maybe md5(rand(0,100000)) and creating 32 hidden form fields to carry that hash - which then gets validated against a session held var would be annoying enough to stop spooksters from bothering.

or - the obvious 'input digits from generated image' ploy - would mean you'd need to manually construct a posting script each time - though even those images can be read and interpreted by GD at a push.

04-09-2003, 11:30 AM
Heheh, bring it on sporks! :)
I've disabled the char limit just so you can prove you are posting from your own form.
Thanks Ökii! :D

04-09-2003, 12:29 PM
Do you have any frames on your site? Anywhere. Doesn't need to be even related to your forum. If there is a frame on the domain you can use an IE exploit to submit data and you'll think it's from your own site.

04-09-2003, 12:38 PM
/mes just a host® limits whooo can just a use® the formmailer by having the 'client' enter the control panel firsttt n' just a dd® the forms 'recipient' to the just a uthorized® list...
sooo since 'spook's emale twouldnt be onnn thattt list??? the form would just a ppear® to go thru n' thennn the viewer...aka spook would get the ol'...sorry you do not have permission to use this formmailer...aka youre not just a uthorized® recipient...

just a nother® suggestion...

04-09-2003, 10:48 PM
It's for my shout box. :D .. And I do have frames. :confused: