[thelist] Worried...please help

[Chris Marsh]

> I am going to set-up a web site for myself - its a small business 
> trying to gather information from surfers (like a survey) and then 
> selling these statistics to an advertising company. I have a lot of 
> forms, and all the data is going to be stored in an MS access 
> DB on my 
> cheap-ish server (cant afford anything else).
> 
> PROBLEM is: To try to 'break' my own site, I wrote a small standaone 
> HTML page with some simple Javascript in it, that makes a local FORM 
> object (with fields the same as my form), puts some junk data 
> in it and 
> then submits it to my server (Anyone on the internet can do this by 
> saving a copy of my form page and then studying it). This JS can be 
> made to run inside a loop (from 1 to 1000000..) which means its going 
> to keep on submitting data to my server, eventually crashing it! How 
> can I stop someone from doing this to me? :(

There are two potential issues here. One is the "junk" nature of the
data, and the other is the multiple submissions. To filter out the junk
you should validate the data (probably with regular expressions) on the
server. You may be doing this already.

Have you got a link to the page? I'm guessing that you will be able to
write ASP pages, as your server is clearly MS. A simple way to stop
people from submitting the form from outside your site would be as
follows:

<%
Dim sDomain
sDomain = Request.ServerVariables("SERVER_NAME")
If sDomain <> "yourdomain.com" Then
	Response.Redirect "errorpage.htm"
Else
	'Process Form
End If
%>

You could go a step further and set a session variable after the form
has been processed. Check for the existence of this variable *before*
the form processing, and only allow the processing to go ahead if the
session variable does not exist. This will prohibit multiple submissions
from within your own site. This may or may not be desirable depending on
exactly how your site works.

HTH

Regards

Chris Marsh