vineld Posted July 26, 2009 Share Posted July 26, 2009 I have seen the following suggestion in several locations on the internet which is supposed to protect you against some attacks. 1. Generate a unique id that is stored as a session variable 2. Store the id in a hidden form field 3. When submitted check that the id is correct This will indeed prevent people from submitting fake post requests but I am still able to let a bot script post the form itself a thousand times so what is really the point of this? Quote Link to comment Share on other sites More sharing options...
jonsjava Posted July 26, 2009 Share Posted July 26, 2009 Quite a few bots will scrape a website (rather than download it every time) for forms, and store the form variables in a database. It will then just submit to it constantly, with the same form fields every time. The method you mentioned stops this type of attack. I usually just add a select field with "I'm a spammer" as the default. If they submit with that, they are spammers. So helpful of them to tell you who they are. Quote Link to comment Share on other sites More sharing options...
vineld Posted July 26, 2009 Author Share Posted July 26, 2009 Quite a few bots will scrape a website (rather than download it every time) for forms, and store the form variables in a database. It will then just submit to it constantly, with the same form fields every time. The method you mentioned stops this type of attack. I usually just add a select field with "I'm a spammer" as the default. If they submit with that, they are spammers. So helpful of them to tell you who they are. Is that really common these days? Have you tracked any stats on how many you've encountered? Why don't they just use a proper submit script instead when it's just as easy? Of course it consumes more resources but that shouldn't be a huge problem... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.