Got Spammed from a contact form

[eluser]Référencement Google[/eluser]
I seems that this can be an issue while using validation callbacks (with the old 1.6.3 validation lib) or more generally while setting rules with CI.

For example, this is the code I have at some point in the validation rules:

Code:

'check' => 'trim|callback_js_check|required' // Antispam trick

If the value of the hidden field "check" is set to FALSE using for example Firefox developer toolbar, the callback_js_check callback is bypassed. So that can be a security issue (not for my problem of spaming, but for things that could be more sensible like validate something to insert in a DB).

I don't know if this is a CI issue, but it would be cool if some of us make some more tests about it.

[eluser]JoostV[/eluser]
This keeps spammers away of they do not use your website to post, but post from a external form:

1. create a random hash string
2. place this string in a hidden field in your form (e.g. form_hidden('token', 'randomhash123'))
3. Place the same string in session: $this->session->set_userdata('token', 'randomhash123')
4. On post check if $this->validation->token == $this->session->userdata('token') and throw an error if it isn't
5. Create a new random string and store that in session to avoid double posts