tvspec

Good idea. I will try that. In addition, how can I also verify the refferer using $_SERVER['HTTP_REFERER'] in my script? I'm not sure how to use it.

I don't think that worked. If it had worked, would I get the echo "referring page required" when I go directly to the php-scripted page where the form is sent to? Right now, anyone who goes to that page..automatically sends a blank form.

If I use this - shouldn't that help? if(!isset($_SERVER['HTTP_REFERER']) || isempty($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] == ''): echo "Referring page required."; exit; endif; do I need to set somewhere what page is actually using it?

So how would I write that in my script?

No, the email addresses are not hidden fields in the previous page, they are in the processing script after it is submitted. How can I check the referrer page - I bet that'll fix the problem, because when I look back at pages visited - the page with the original form was not visited...

My form is created with php and is handled through php - within the past day I have received bogus information through them - up to about 30 an hour all from different IP address in Texas, New Jersey, California, and Colorado. It seems hopeless to try and block all the ip address because they change - but it seems there are only a handful of service providers, which I've notified through their abuse and tech emails. What can I do so that I can stop getting these? The info that has been submitted is similar to this (mydomain was edited from my real domain name): Here is what was submitted : Name: pmcf@**** Content-Type: multipart/mixed; boundary=\"===============0458757291==\" MIME-Version: 1.0 Subject: 1072bf53 To: pmcf@**** bcc: jrubin3546@aol.com From: pmcf@**** or here's another: Here is what was submitted : Name: hddbofuxk@**** Preferred way to be contacted: hddbofuxk@**** Email: hddbofuxk@**** Phone #: hddbofuxk@**** Comments: hddbofuxk@****

Thanks for both of your inputs. Personally, I would spend the extra money for the SSL and certificate - but I'm trying to give the person whom I'm proposing a design to - the different options. And yes, they are on a shoe string budget.

If I only enable Pay Pal on OsCommerce - that appears that it takes you to the Pay Pal website and they can then proceed to pay with or w/o a paypal account. If I give pay pal as the only option - then I shouldn't need SSL - correct?

Yeah - I've been surfing through those. A lof of them don't have demo's though and I don't want to install the entire thing 'hoping' it's what I want. I was hoping someone had some suggestions or had used some themselves.

So then, if I understand, the only real vulnerability would be the customer name, address, etc? (not the credit info)

I will be doing picture polls (voting on favorite pics) and a few other things - where the poll can be implemented directly onto an XHTML/CSS page. Does anyone have any recommendations of a free script I can use - and perhaps a demo I can view? Thanks!!

From what I understand, the site that someone wants me to do only has about 7 products on it. I'm fairly certain there won't need to be an inventory-count database behind it. What vulnerability issues could there still be? With OsCommerce, it appears to me that the only thing I would be worried about is people getting into customer info. Do you know if OsCommerce keeps credit card info?

And with the SSL certificate I shouldn't have to worry about other security vulnerabilities - correct?

I've been reading a lot of posts about shopping carts and SSL and certificates. I just want to make sure I understand this alright. The basic things you need to do e-commerce are: 1)Shopping cart/catalog system (which you can do with OsCommerce that TCH offers) 2)SSL Certificate to use in conjunction with the shopping cart/catalog system - to make the transactions secure. Basically, I'm very concerned about doing an e-commerce site for someone else, because I don't have enough experience in doing it, and I'm afraid of credit card vulnerability issues, etc. Are those the two basic things you need to do e-commerce?

I just found out about this default email account, and I have over 11,000 messages. Is there a way I can just go in and delete them all rather than deleting only 15 or 20 at a time in one of the web mail services? There has got to be a way to empty the entire box. Please advise. Thanks