:sadbanana That got your attention I'm sure. :D

While I don't want to know how to hack PHP, I want to know how people are hacking me. In my guestbook, I'm getting hit with Spam. Not as bad as I used to, because now I don't accept direct requests to the page that you add your entry to. But even when I check if there is no referrer, I still get hit with the Spam, and checking my logs reveals that the guys that still get through don't have a referrer at all! So what am I doing wrong? How are they faking a referrer? What other methods are there to stopping them from inputting straight into my guestbook? It's not as cut and dry as saying make my referrer check absolute, because I have linked from several pages directly to my "addentry.php" and then I'd have to make a small list of all the pages that link to the add entry pahe, and if I ever added another link, then I'd have to add that link to the list. I'm not lazy, but I don't want to do it that way. I want a solution to the problem. And perhaps a look into how I can secure my PHP scripts better (alright, I admit it, lazyness does play a small part in it too:dunce2: )

include a time limited random id as a hidden variable in the form?

One option would be to display one of those pictures that have text in them that people have to enter to prove that they are human...

It's very easy to fake any referer you want so checking for that wont help you from a security perspective.

What are you using for your guestbook? Something you coded or something pre-done (and possibly modified)?

never rely on referer, not all borwsers send it. the security image is the best thing to do.

I used to get bomber by spammers, but I've managed to almost eliminate it now by using SESSIONS to make sure the user has come from my form entry page.

The SESSION value isn't easily copied as I use SESSID. It's stopped most of the automated spammings anyway ... just have to stop those annoying people who type it in legitimately now.