Re^2: Stop Form Hurling

Then make a variable out of @selected to check it once the form has been submitted: ... Pass it on to the cgi script that will do the checking and you're done.

Unfortunately, this solution is not very secure. An automated script could easily figure out what to send back by looking at the image URLs, or could simply send a different value for check_var that matches their input.

Instead of trying to code this from scratch, take a look at the existing "Captcha" implementations.

Comment on Re^2: Stop Form Hurling

Replies are listed 'Best First'.
Re^3: Stop Form Hurling by emav (Pilgrim) on Nov 06, 2004 at 06:15 UTC
Yeah, I know about that. I took one more step to circumvent this security flaw. I randomly renamed the alphanumeric images and I keep a list of correspondences between these random names and the actual values of the letters somewhere on my site. So, actually, what a robot would see in the image URLs is various names of Greek cities (e.g. "athens", "thessaloniki", etc. -- hey! I'm Greek after all ;-). Then, the cgi script reverses the process and checks the password. I suppose bots are not that clever to figure out what's going on.	[reply]
Re^4: Stop Form Hurling by simonm (Vicar) on Nov 06, 2004 at 06:30 UTC
But if you're passing the value to check against as a query parameter, what's to stop a malicious user from manually finding one match, and then re-submitting those parameters to your site in thousands of future requests?	[reply]
Re^5: Stop Form Hurling by emav (Pilgrim) on Nov 06, 2004 at 07:18 UTC
This depends on the level of security you require. Of course, one could use a temp file which is written, read, and deleted on the fly (as we pass from one cgi script to the other) to transfer the info.	[reply]
Re^6: Stop Form Hurling by simonm (Vicar) on Nov 06, 2004 at 17:17 UTC
Re^7: Stop Form Hurling by emav (Pilgrim) on Nov 06, 2004 at 22:06 UTC
Some notes below your chosen depth have not been shown here