The same can be accomplished with POST only forms
using CURL. A very common way to prevent it is to use
a cookie or session variable to store a hidden
string or password if you will. I have found that
just using a random text generator with a hidden
input field will stop almost all of the fake
submissions.
If you need some help writing it in PHP, feel free
to let me know.
Ralph Harmon
Paul M Foster wrote:
> Ken Elliott wrote:
>>>> They send this as a page request to the server. The server processes it
>> as though it actually came from viewing the page, emailing me the
>> "response".
>>
>>>> Does that sound right?
>>
>> Yes. The response to a form will be something like http: //
>> mydomain.com /
>> replypage.pgp ?username=joe & color=red
>> (I added spaces to prevent it from displaying as a link)
>>
>> Your server will take the file 'replypage.pgp' and process it. PGP will
>> extract the variables 'username' and 'color'. In your case, I suspect
>> the
>> script will craft an email to you with that data, and generate a reply
>> page
>> for the non-existant user. Thus you see an email from your server.
>>
>
> Yes. I get an email and the user gets a "Thank You" page.
>
>> Try if for yourself. Fill out the form and submit it. Copy the URL and
>> modify the contents of the fields. Paste it back into the browser and
>> you'll get another email. It's fun and the whole family can play...
>>
>
> This would work as suggested if the fields were passed as GETs, but they
> are passed as POSTs. In any case, I see the principle involved. POSTs
> are a bit more complicated, but can be generated from a script.
>
> Paul
>
>
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:10:30 EDT