Quote:
Originally Posted by Redcoder
Well, that's a spam hole in itself. I can do simple HTML injection and input an ID - probably starting sequentially - unless you use random IDs
|
If you re-read my original reply about this, you'll see I was way ahead of you when I mentioned:
Quote:
Originally Posted by tangoforce
You could also put the users ID number in the form (or a hashed version of it at least / random value) so that you can compare the session data to make sure it belongs to the right user should another login with the same session id.
|
Quote:
Originally Posted by Redcoder
Posting messages when logged out and they will be posted 'somewhere' in that users space...then post the messages with lets say my ruthless bots mate. What would your application be able to do about that?
|
I dunno what to say.. I'm stumped
Oh hang on..
I guess the password confirmation page that is between the http submission and the processing would luckily stop those nasty bots getting any further
Any submission that isn't verified within say 5 minutes doesn't need to be kept and can be blackholed.
To be honest though Red, you're assuming that the attacker will know how the code on the back end operates. What happens when the form field names are all random values? The bot master can send all the forms they want but if the field names haven't been generated or don't match..