Page 1 of 1

securing a registration form

Posted: Sat Jul 10, 2004 12:37 am
by euphorian
Hi, I designed a little snippet that prevents people from registering hundreds of accounts on a game server. It generates an image of 5 numbers, between 0 and 9. and they have to confirm that number in a text box.

There is one problem though, a malicious person could easilly get around this by going to script.php?securitycode=42181&confirmsecuritycode=42181

Because, they arent using the form to register, they are using a URL.
I need some way to prevent this, because the PHP page holds scode as a hidden form value, and the confirm is a form text value, but still, if you see what I'm saying, theres a way around this.

I'm terrible at ideas, hehe, that's the problem.

So could anyone help me? thanks.

Posted: Sat Jul 10, 2004 12:55 am
by John Cartwright
i duno but maybe you can use POST instead of GET in the form method?

Posted: Sat Jul 10, 2004 1:06 am
by kettle_drum
Why dont you make it a little more complex and store the number that your print out in a session or the database, that a session/cookie referes to. And then when the fom is submitted you check the value they submitted against the one in the session/database - and since they need to have a session/cookie - they have to have received it from the page that prints the number to copy out.

You can also check that the http referer was the page on your site.

Posted: Sat Jul 10, 2004 1:27 am
by euphorian
thanks for the idea mate =) i'm sure that will work perfectly

Posted: Sat Jul 10, 2004 2:02 am
by kettle_drum
np. You might also want to add more protection so that the same IP can only register like 5 accounts in a day, and 1 account per email address. Flood protect of like 30 seconds - so you have to wait 30 seconds before you can register again etc.