Thanks all. The information is not that sensitive, but in the least, such a measure is important to prevent a DoS attack as Khalid mentioned. <br><br>Yet even if user data is not that sensitive, it's still inappropriate to allow someone to just run off knowing most of the registered users on a site. This could be a first phase for performing a more elaborate and targeted attack on a site.
<br><br>David, how could using a captcha help here? By storing the result in a session variable and expecting it back with the AJAX call? How can we change the captcha on the next call without refreshing the page? I haven't really used captcha's before, so apologies if these questions are invalid in this context.
<br><br>What is evident here is that any full client side solution is bound to fail as it is easily manipulated by the client. Thanks.<br><br><div><span class="gmail_quote">On 5/8/07, <b class="gmail_sendername">Khalid Baheyeldin
</b> <<a href="mailto:kb@2bits.com">kb@2bits.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><span class="q">On 5/7/07,
<b class="gmail_sendername">David Metzler</b> <<a href="mailto:metzlerd@metzlerd.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">metzlerd@metzlerd.com</a>> wrote:</span><div><span class="q">
<span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
True enough, but that being said, there's not a fundamental<br>difference between having an ajax script call a php page that checks<br>to see if a username has been taken, and having a a web form perform<br>the same validation. So don't assume that Ajax is the problem here,
<br>just realize that it doesn't provide any additional security either.</blockquote></span><div><br>The difference is that in AJAX (as most commonly used), if you type "aa", <br>then all the users with names beginning with Aa will show up for you, then
<br>you do "Ab", and get a list, then "Ac", ...etc.<br><br>This does not happen in a normal not AJAXified form. All you can get<br>is whether the full name you chose exists or not.<br></div></div><br>
Ashraf,
<br><br>If this data is sensitive, then just don't reveal it. Also, check that there<br>is sufficient delay before retrieving results, so as not to get DoS attacks<br>by asking for the data too quickly, overloading the database.
<br>
</blockquote></div><br>