crabby80 — 2011-08-04T16:04:52-04:00 — #1
One of my sites allow users to send other uses messages. In order to do this you need to be logged in. I've included a unique token that gets created server side and has to match the token that gets posted.
Some how, someone is managing to send spam, when I check the sender id it's 0 which suggests they're by passing log in.
How are they achieving this??
Any help would be v.helpful
force — 2011-08-04T16:52:01-04:00 — #2
Without seeing code, it's going to be hard to guess.
prasanthmj — 2011-08-04T23:07:16-04:00 — #3
Where do you keep the unique id? how do you make the unique id?
praveenkv1988 — 2011-08-10T06:33:45-04:00 — #4
The unique id might be in a hidden field which the spammers use to submit the message.
jake_arkinstall — 2011-08-10T12:23:06-04:00 — #5
Worst-case scenario, they could have database access. If thats the case, nothing you can do with the PHP will help.
But chances are there's just a loophole in your form. Are you checking that they're logged in on the form processing side of things, or just to get to the form in the first place? The latter leaves opportunity to use the form processing without logging in.
The simplest solution to this problem regardless, albeit temporarily, is modify your queries so that only messages from users with id >= 1 will be seen, counted etc.
the182guy — 2011-08-10T16:07:42-04:00 — #6
Show your code that is doing the login check when a message is sent.
crabby80 — 2011-08-15T15:38:11-04:00 — #7
Sorry for delay guys I've been away, back to reality
I'm using the following to create a unique id;
$token = md5(uniqid(rand(), true));
This is matched against a hidden field when the form is submitted?
They need to be authenticated to access the form, but I've now added code to double check I have a user id in session when the form is submitted, I think this may have done the trick??!!!
They must of had a cached version somehow??
Thanks for you replies guys, I'll let you know if it still occurs