Hi, I designed a little snippet that prevents people from registering hundreds of accounts on a game server. It generates an image of 5 numbers, between 0 and 9. and they have to confirm that number in a text box.
There is one problem though, a malicious person could easilly get around this by going to script.php?securitycode=42181&confirmsecuritycode=42181
Because, they arent using the form to register, they are using a URL.
I need some way to prevent this, because the PHP page holds scode as a hidden form value, and the confirm is a form text value, but still, if you see what I'm saying, theres a way around this.
I'm terrible at ideas, hehe, that's the problem.
So could anyone help me? thanks.
[SOLVED] securing a registration form
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
-
kettle_drum
- DevNet Resident
- Posts: 1150
- Joined: Sun Jul 20, 2003 9:25 pm
- Location: West Yorkshire, England
Why dont you make it a little more complex and store the number that your print out in a session or the database, that a session/cookie referes to. And then when the fom is submitted you check the value they submitted against the one in the session/database - and since they need to have a session/cookie - they have to have received it from the page that prints the number to copy out.
You can also check that the http referer was the page on your site.
You can also check that the http referer was the page on your site.
-
kettle_drum
- DevNet Resident
- Posts: 1150
- Joined: Sun Jul 20, 2003 9:25 pm
- Location: West Yorkshire, England