Expireing pages

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Calimero
Forum Contributor
Posts: 310
Joined: Thu Jan 22, 2004 6:54 pm
Location: Milky Way

Expireing pages

Post by Calimero »

Not sure where this goes, but lets try from here:


I have random number generator (avatar I think its called)
it prints a number on a page, and you have to type in the textfield in order to submit the form.

This is my problem. I think that this system can be easily tricked by BACK button and inputing the value again (textfiled type is password, but the page is loaded with the same random number)

Is there any way to prevent this type of abuse (somehow for page to expire, or maybe IP filtering (just came on my mind))

Any ways any suggestions would come in handy.

Thanks Ahead !
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

create an image with the random text embedded inside.
User avatar
Calimero
Forum Contributor
Posts: 310
Joined: Thu Jan 22, 2004 6:54 pm
Location: Milky Way

...

Post by Calimero »

just one question, HOW?

do you mean php to create an image on-the-fly nad then insert random string that also generates on the fly ?

But isn't that way also vunerable, if I click BACK button in the browser and just copy paste the code inside the textfield.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

each query to that "image" would generate a new random string... the text data itself isn't passed to the browser, like you implied your code works now. In that, it's far less vulnerable.

read into the image functions on php.net: http://php.net/image

we've got several discussions laying around in the forums talking about it.. although few, if any, with complete code.
jtc970
Forum Commoner
Posts: 38
Joined: Sun Jan 18, 2004 11:49 pm

Post by jtc970 »

you could save the code to a db then verify it against that, once it's used remove it from the db
User avatar
Calimero
Forum Contributor
Posts: 310
Joined: Thu Jan 22, 2004 6:54 pm
Location: Milky Way

...

Post by Calimero »

Still searching .....

If you know which topic is it, please...

Or if you have the code, ...


Thanks Ahead !
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

it is all explained @ http://php.net/image which feyd already suggested
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

If you want to see an example of something like this try:

http://www.register.com

type in an existing domain name and then click on view whois info
Post Reply