[FX.php List] RE: Security Concerns with FileMaker Website
Gjermund Gusland Thorsen
ggt667 at gmail.com
Thu Jan 25 03:02:58 MST 2007
Comparing two keys and if the two keys does not match; ditch...
It does require some way of issuing the two keys, that's the challenge
in this, for a membersystem it's somewhat simple, for a publicly
browsable site; the task is different, and perhaps issuing of the keys
should be done if IP range is not on a blacklist.
a typical key for me would be:
$pKey = md5( 'myCuteLittleWebSurvey' . $_SERVER["REMOTE_ADDR"] );
$_SESSION[$pKey]['key1'] = $_SERVER["REMOTE_ADDR"];
$_SESSION[$pKey]['key2'] = md5( $_SERVER["REMOTE_ADDR"] );
I know this one is easy to fake, but it is possible to make a more
challenging one.
The clue on the other hand is _when_ to issue these keys...
ggr667
On 1/25/07, Kevin Futter <kfutter at sbc.melb.catholic.edu.au> wrote:
> On 25/1/07 3:10 AM, "Gjermund Gusland Thorsen" <ggt667 at gmail.com> wrote:
>
> > My few cents worth: let them crawl you,
> > but avoid showing email addresses.
> >
> > ggt667
> >
>
> One method that has begun to be used with good success over the last year or
> so is to issue a logic challenge in plain text that any human - but no bot -
> can answer. I can't think of any in-use examples ATM, but it might be
> something like "What is a female parent called?" Perhaps even simpler than
> that. You have a selection of them and present them randomly. I can't
> remember if this technique has an official name, but it's worth looking
> into, as it seems the best approach all-round.
>
> --
> Kevin Futter
> Webmaster, St. Bernard's College
> http://www.sbc.melb.catholic.edu.au/
>
>
>
> ------------------------------------------
> This e-mail and any attachments may be confidential. You must not disclose or use the information in this e-mail if you are not the intended recipient. If you have received this e-mail in error, please notify us immediately and delete the e-mail and all copies. The College does not guarantee that this e-mail is virus or error free. The attached files are provided and may only be used on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from the use of the attached files, whether caused by the negligence of the sender or not. The content and opinions in this e-mail are not necessarily those of the College.
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
More information about the FX.php_List
mailing list