remote form submission with CPG? remote form submission with CPG?
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

remote form submission with CPG?

Started by pinpoint222, November 10, 2006, 08:49:31 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

pinpoint222

it is related to bot spam and i have seen that happening few times earlier with unprotected static php pages of my old site. i wonder if that can happen with CPG too..

The bots visit the page with a FORM placed in it and saves the source code with absolute URLs of the "POST" element of the FORM and then it remotely puts in the form values and calls that POST URL. So the form is filled remotely but POST is executed using proper absolute URL.

1-- is that something which is possible?
2-- if the form fields are filled remotely and then db_input.php file is called using absolute URL ..will that form b processed in CPG ?
3-- which method is better to have against Spam submission in FORMs......is POST better or GET better?


Nibbler

1) Yes, but that's not how the bots work.
2) Yes, Coppermine does not know the difference.
3) POST is better, but only slightly.

pinpoint222

so in what way remote calling of db_input.php be blocked without making visitor loggin in first.

Do you think this can work?

* -- Encrypting URL of db_input.php(using Javascript) so bots cannot find out the URL and store it for remote calling?

Nibbler

The bots already know it is called db_input.php, and they don't execute javascript in the first place.

pinpoint222

hmm..

Considering this single image verfication mod/hack (http://forum.coppermine-gallery.net/index.php?topic=36235.msg180856#msg180856)

which uses db_input2.php (A modified replica of db_input.php)

IF i set it up such that

1-- While applying the Mod/hack, the location of db_input2.php is calculated using Javascript. So bots cant find its location.

2-- If the POST data contains comments parameters like Name /comment/image code  THEN DO NOT execute db_input.php BUT only execute db_input2.php.

This way even if the db_input.php is called using its absolute known URL with POST data containing comments parameters like Name /comment/image code then db_input.php will not be executed.

Do you think using this setup will prevent remote execution of db_input.php and keeps the location of db_input2.php hidden using Javascript ( as bots cant read/execute javascript)?