Question about POST

[Bill Vlahos]

A simple solution around this would be to include another post 
parameter which the user does not enter. It would be automatically sent 
by your standalone. This would work like a password and the CGI would 
check for the correct entry.

Someone would have to sniff the network traffic to obtain the 
"password" to find out what it is -  which is probably unlikely. Since 
it would be embedded in your application and CGI you could make it 
really long and random and therefore virtually impossible to guess. The 
domain restriction could then go away because you have this additional 
level of authentication.

Bill Vlahos

On Thursday, September 5, 2002, at 03:39  PM, Sannyasin Sivakatirswami 
wrote:

> I was never able to resolve this one.. . I hesitated to remove the 
> authorized domain variable from the formmail.pl, because our server 
> logs clearly show attempts to spam "formmail"  by hackers, and 
> although the sys admin for the HOST is pretty soft on this one and has 
> no global protection in place against it... there would be serious 
> repercussions if one of my forms were the cause of the server going 
> down....
>
>  I resorted to asking people in the stand alone to simply email us 
> their name and address and contact information from their own email 
> client... here the intent was to let them "register" as a user from 
> within the standalone,
>
> Can anyone else comment on this? I could be missing something very 
> simple here. Could one somehow keep the authorized domain list on the 
> host machine's CGI and still create a mechanism on a publicly 
> distributed standalone to post data to that CGI from an ISP other than 
> the machine that hosted the CGI? Where the domain from which the POST 
> was originating would be completely unknown? i suppose if I used a 
> faceless xTalk CGI and configured it to accept only input from the 
> standalone, that could also be another solution?