Tonnerre LOMBARD wrote:
Salut,
On Tue, Aug 15, 2006 at 06:59:21PM +0200, Matthias Keller wrote:
Correct. And that's the way it works :) consider this:
<form method="POST" action="post.php" onSubmit="this.somefield.value=123"> <input type=hidden name="somefield" value=""> ... </form>
If the post.php receives the POST request without $_POST["somefield"] == "123" it refuses to send the mail...
And what if they do send the 123?
They wont
Because that would need some user interaction upon collecting the data at the first time. And just in CASE they would start with it - no worries, you can always make it more dynamic.. consider using some formula which involves the current day which gets calculated on the client AND on the server side or whatever...
As long as they dont evaluate the javascript VERY regularly they cant spam - and i dont think they'll go so far as to executing JS as it's lots more complicated than just capturing form data and is potentially dangerous (infinite loops and stuff)
As you said - these are SCRIPTS and as soon as you start to require something not doable by scripts you make it MUCH harder for them.
Matt