Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post

    How to stop spookster? (Forms posting from off site)

    Lol, I've hit a brick wall.. Spookster has used is super powers to bypass my character limit settings from a form on his computer I presume.. Now I have set a letter limit in server side to stop him in his tracks no matter where the form is posted from but I'd still like to stop people (spookster first ) from being able to post to my processing page from their own forms.

    HTTP_REFERER doesn't work.. So I've no idea how to do it.

    PS: Thanks Spooks!/All hail spookster!
    Omnis mico antequam dominus Spookster!

  • #2
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,278
    Thanks
    4
    Thanked 83 Times in 82 Posts
    lol Who me? Guess I will just have to find other holes to exploit. Muahahaha
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #3
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    You'd better! It's good practice for me. Gunna tell me how to stop the forms?
    [edit:] Plus in a day or 2 I should have something resembling a forum for you to break ..
    Omnis mico antequam dominus Spookster!

  • #4
    Regular Coder
    Join Date
    Jun 2002
    Location
    UK
    Posts
    577
    Thanks
    0
    Thanked 0 Times in 0 Posts
    sessions...

    instantiate a session var on the form entry side and test for it on the receiving side.
    Ökii - formerly pootergeist
    teckis - take your time and it'll save you time.

  • #5
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,278
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Originally posted by Ökii
    sessions...

    instantiate a session var on the form entry side and test for it on the receiving side.
    Already have a plan of attack for that defense too.

    Go ahead make my day. Do ya feel lucky punk? Well do ya?
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #6
    Regular Coder
    Join Date
    Jun 2002
    Location
    UK
    Posts
    577
    Thanks
    0
    Thanked 0 Times in 0 Posts
    yup - shouldn't be too tricky to get around that one - 'tis one more obstacle in the way of peeps like you though

    short of using a flash input field or java based interface all the lil tricks I can think of have subtle workarounds -

    though maybe md5(rand(0,100000)) and creating 32 hidden form fields to carry that hash - which then gets validated against a session held var would be annoying enough to stop spooksters from bothering.

    or - the obvious 'input digits from generated image' ploy - would mean you'd need to manually construct a posting script each time - though even those images can be read and interpreted by GD at a push.
    Ökii - formerly pootergeist
    teckis - take your time and it'll save you time.

  • #7
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    Heheh, bring it on sporks!
    I've disabled the char limit just so you can prove you are posting from your own form.
    Thanks Ökii!
    Omnis mico antequam dominus Spookster!

  • #8
    Regular Coder
    Join Date
    Jun 2002
    Location
    Montreal, Canada
    Posts
    644
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Do you have any frames on your site? Anywhere. Doesn't need to be even related to your forum. If there is a frame on the domain you can use an IE exploit to submit data and you'll think it's from your own site.

  • #9
    Regular Coder
    Join Date
    Jun 2002
    Posts
    676
    Thanks
    1
    Thanked 0 Times in 0 Posts
    mht...
    /mes just a host® limits whooo can just a use® the formmailer by having the 'client' enter the control panel firsttt n' just a dd® the forms 'recipient' to the just a uthorized® list...
    sooo since 'spook's emale twouldnt be onnn thattt list??? the form would just a ppear® to go thru n' thennn the viewer...aka spook would get the ol'...sorry you do not have permission to use this formmailer...aka youre not just a uthorized® recipient...

    just a nother® suggestion...

  • #10
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    It's for my shout box. .. And I do have frames.
    Omnis mico antequam dominus Spookster!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •