Results 1 to 3 of 3
-
05-25-2004, 05:01 PM #1WHT Addict
- Join Date
- Jul 2003
- Posts
- 117
CGI Order Form/Dynamic Referer Question
I have a cgi order form which a spammer and a bot were taking advantage of and sending out thousands of emails through.
Im trying to make my order form so that if the client doesnt come from my site then the form wont process.
The Form is called:
ordernow.cgi
Each product has its details stored in a mySQL DB and product 2 for example is reached by:
ordernow.cgi?pkid=2
Altering the pkid to say 3 gets different values from the mySQL DB:
The client inputs their details and the billing info is then passed to the order.cgi for processing. This is what a spammer+bot were using to send out spam.
I added this to the order.cgi
$referer = $ENV{HTTP_REFERER};
$path = $ENV{QUERY_STRING};
if ( $referer ne "http://www.mydomain.com" ){
print "HTTP_REFERER not equal to http://www.mydomain.com<br><br>
REFERER = $referer <br><br>
PATH = $path
";
exit(0);
}else{
However the referer is actually:
REFERER = http://www.mydomain.com/ordernow.cgi?pkid=2
Though its dynamic in that the referer can be anything from pkid2 to pkid20.
I want to make it so this line of script:
if ( $referer ne "http://www.mydomain.com" ){
Will actually be:
http://www.mydomain.com/ordernow.cgi?pkid=2 to http://www.mydomain.com/ordernow.cgi?pkid=20
How do I do that? Any help is greatly appreciated.
-
05-26-2004, 04:43 AM #2Junior Guru
- Join Date
- Oct 2002
- Posts
- 229
if ( $referer !~ /^http:\/\/www.mydomain.com\/ordernow.cgi\?pkid=\d+$/ )
{
...............
}
However spoofing the referer its no big deal this days.
-
05-26-2004, 05:32 AM #3Web Hosting Master
- Join Date
- Jul 2003
- Location
- Kuwait
- Posts
- 5,104
It sounds like you need to review your script and make sure that there is no way for the request to alter to/from headers.
Also, like sugegsted before -- referrer is easy to spoof.
In addition to reviewing your script, I would also make sure that your email server was not an open relay.
Finally, if you are still getting bombarded, you can always add a CAPTCHA check.