How can I block or make sure its my server?

[Zas]

Now theres this little dude whos really annoying and has been spamming my server with information that he probably shouldn't be able too. Now I made the .html so no one could surpass 15 characters in lenght.
But he took that and saved it to his computer and made it so he could make it unlimited. My question is how can I make sure that the 'post' is coming from valui.com only, and not hiscomputer.com .
What is the command to get where the previous page came from?

Happieness is like peeing your pants.
Everyone can see it, but only you can feel the warmth.

 

[siberian]

Check the environment variable HTTP_REFERER

This will contain the URL of the page he clicked from. If it is legitimate it will be the URL of the page on your server. If it doesn't match that deny him.

 

[Zas]

thanks

Happieness is like peeing your pants.
Everyone can see it, but only you can feel the warmth.

 

[Wullie]

Hi guys,

Just remember that the referer is blocked by a lot of users browsers, so you would be denying legitimate requests as well.

Hope this helps

Wullie

http://www.freshlookhosting.com

http://www.tutorial-world.com

http://www.freshlookdesign.co.uk

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[GaijinPunch]

I think in this case, that's not an issue.

HTTP_REFERRER (AFAIK) tells what URL the post came from. Anything coming from

http://www.valui.com

has a text limitation, as posted in the first message. These are okay.

The childish annoyance is saving the HTML file, removing the text limitation, and hitting the send button. This wouldn't be from

http://www.valui.com

(it'd probably be from C:/file.html) and would be blocked.

No?

 

[Wullie]

What about when the guy sets his referrer string in his browser to be the original page? That would be simple to do and would bypass the referer check.

The best way to do this would be to hard code the script to only accept the limited amount of text rather than the html page, then he can't bypass it.

Hope this helps

Wullie

http://www.freshlookhosting.com

http://www.tutorial-world.com

http://www.freshlookdesign.co.uk

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[siberian]

Yea, the real answer is what Wullie said. Properly check your inputs.

ALWAYS. No matter what. This is the one of the hugest security issue with CGI, unchecked inputs.

 

[Zas]

Right now I have:
if((!($ref ne "

http://valui.com/signup.htm")

^ ($ref ne "

http://www.valui.com/signup.htm")

^ (!($ref =~ "

http://valui.com/cgi-bin/find.pl"))

^ (!($ref =~ "

http://www.valui.com/cgi-bin/find.pl"))))

{ print "Sorry, you came from the wrong site, and therefore have most likely inputted false information. Goto the main page at

http://www.valui.com

and try to sign up again."; exit; }


and that seems to be working. But I see how the whole variable inputs should be checked regardless.
I'm a bit rusty, I'm going to have to look up and how to check to make sure $cname contains only alpha-numeric characters, and make sure its size is less than 15.

Happieness is like peeing your pants.
Everyone can see it, but only you can feel the warmth.

 

[siberian]

if( length($cname) > 15 ) { print 'To long buddy!' ; }

if( $ref !~ /[A-Z0-9]/gsi ) { print 'Not alphanumeric';}

 

[Zas]

if ($INPUT{'cname'} =~ /\W/) { &error(&quot;<br>Invalid Character Name! \(Use only alpha-numeric characters!\)&quot; $error = 1;}
if (length($INPUT{'cname'}) > 15) { &error(&quot;<br>Your character\'s name is too long!&quot; $error = 1;}

$error is 1 so it can show all the errors, and exit if $error equals 1.

\W works too .

Happieness is like peeing your pants.
Everyone can see it, but only you can feel the warmth.

 

[duncdude]

If this young lad is this much of a pain in the butt surely he'll get his hands on LWP and start hammering your site and filling it with rubbish... and you won't be able to stop him


Kind Regards
Duncan