Not sure where this goes, but lets try from here:
I have random number generator (avatar I think its called)
it prints a number on a page, and you have to type in the textfield in order to submit the form.
This is my problem. I think that this system can be easily tricked by BACK button and inputing the value again (textfiled type is password, but the page is loaded with the same random number)
Is there any way to prevent this type of abuse (somehow for page to expire, or maybe IP filtering (just came on my mind))
Any ways any suggestions would come in handy.
Thanks Ahead !
Expireing pages
Moderator: General Moderators
...
just one question, HOW?
do you mean php to create an image on-the-fly nad then insert random string that also generates on the fly ?
But isn't that way also vunerable, if I click BACK button in the browser and just copy paste the code inside the textfield.
do you mean php to create an image on-the-fly nad then insert random string that also generates on the fly ?
But isn't that way also vunerable, if I click BACK button in the browser and just copy paste the code inside the textfield.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
each query to that "image" would generate a new random string... the text data itself isn't passed to the browser, like you implied your code works now. In that, it's far less vulnerable.
read into the image functions on php.net: http://php.net/image
we've got several discussions laying around in the forums talking about it.. although few, if any, with complete code.
read into the image functions on php.net: http://php.net/image
we've got several discussions laying around in the forums talking about it.. although few, if any, with complete code.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
it is all explained @ http://php.net/image which feyd already suggested
If you want to see an example of something like this try:
http://www.register.com
type in an existing domain name and then click on view whois info
http://www.register.com
type in an existing domain name and then click on view whois info