[SOLVED] securing a registration form

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
euphorian
Forum Newbie
Posts: 3
Joined: Sat Jul 10, 2004 12:37 am

securing a registration form

Post by euphorian »

Hi, I designed a little snippet that prevents people from registering hundreds of accounts on a game server. It generates an image of 5 numbers, between 0 and 9. and they have to confirm that number in a text box.

There is one problem though, a malicious person could easilly get around this by going to script.php?securitycode=42181&confirmsecuritycode=42181

Because, they arent using the form to register, they are using a URL.
I need some way to prevent this, because the PHP page holds scode as a hidden form value, and the confirm is a form text value, but still, if you see what I'm saying, theres a way around this.

I'm terrible at ideas, hehe, that's the problem.

So could anyone help me? thanks.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

i duno but maybe you can use POST instead of GET in the form method?
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Why dont you make it a little more complex and store the number that your print out in a session or the database, that a session/cookie referes to. And then when the fom is submitted you check the value they submitted against the one in the session/database - and since they need to have a session/cookie - they have to have received it from the page that prints the number to copy out.

You can also check that the http referer was the page on your site.
euphorian
Forum Newbie
Posts: 3
Joined: Sat Jul 10, 2004 12:37 am

Post by euphorian »

thanks for the idea mate =) i'm sure that will work perfectly
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

np. You might also want to add more protection so that the same IP can only register like 5 accounts in a day, and 1 account per email address. Flood protect of like 30 seconds - so you have to wait 30 seconds before you can register again etc.
Post Reply