<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><BR><DIV><DIV>On May 8, 2007, at 1:01 AM, Ashraf Amayreh wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite">David, how could using a captcha help here? By storing the result in a session variable and expecting it back with the AJAX call? How can we change the captcha on the next call without refreshing the page? I haven't really used captcha's before, so apologies if these questions are invalid in this context. <BR></BLOCKQUOTE><DIV>Yes exactly. but the captcha doesn't necessarily need to change with every ajax call. Only with every main page load. It can be the same. Although, I suppose you could force the image to reload it would be disconcerting and annoying for the user. If I were really concerned, I would combine this with some kind of session based timer or max number of calls strategy.</DIV><BR><BLOCKQUOTE type="cite"><BR>What is evident here is that any full client side solution is bound to fail as it is easily manipulated by the client. Thanks.<BR><BR><DIV><SPAN class="gmail_quote">On 5/8/07, <B class="gmail_sendername">Khalid Baheyeldin </B> <<A href="mailto:kb@2bits.com">kb@2bits.com</A>> wrote:</SPAN><BLOCKQUOTE class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><SPAN class="q">On 5/7/07, <B class="gmail_sendername">David Metzler</B> <<A href="mailto:metzlerd@metzlerd.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">metzlerd@metzlerd.com</A>> wrote:</SPAN><DIV><SPAN class="q"> <SPAN class="gmail_quote"></SPAN><BLOCKQUOTE class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> True enough, but that being said, there's not a fundamental<BR>difference between having an ajax script call a php page that checks<BR>to see if a username has been taken, and having a a web form perform<BR>the same validation. So don't assume that Ajax is the problem here, <BR>just realize that it doesn't provide any additional security either.</BLOCKQUOTE></SPAN><DIV><BR>The difference is that in AJAX (as most commonly used), if you type "aa", <BR>then all the users with names beginning with Aa will show up for you, then <BR>you do "Ab", and get a list, then "Ac", ...etc.<BR><BR>This does not happen in a normal not AJAXified form. All you can get<BR>is whether the full name you chose exists or not.<BR></DIV></DIV><BR> Ashraf, <BR><BR>If this data is sensitive, then just don't reveal it. Also, check that there<BR>is sufficient delay before retrieving results, so as not to get DoS attacks<BR>by asking for the data too quickly, overloading the database. <BR> </BLOCKQUOTE></DIV><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>