[thelist] CF: source of POST variables

jon steele jjsteele22 at yahoo.com
Fri Aug 2 09:29:00 CDT 2002


--- Raymond Camden <jedimaster at macromedia.com> wrote:
>(Make sense?)
Yup.

> User hits your form. You generate a UUID and store that as a hidden form
> value. You store that same UUID in the database.
> User hits submit on your form. You check to make sure the UUID exists.
> Process the form and then delete the UUID from the db.
>
> Of course, if I were using a HTTP post to hack your site, I'd simply hit
> your action page first and rip out the UUID. But it would be more
> difficult for the hacker at least.

This system is what I will probably end up using, but as you say, the UUID can still be obtained.
But if I combine this with the earlier idea of generating a unique identifier using the day/hour,
storing it in the database, and then regenerating it at the end and checking the value, this would
not require anything to be passed via the form/s.

Jon

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com



More information about the thelist mailing list