Posted on 10/31/2008 9:31:31 AM PDT by RobinMasters
Will the innovations never cease? Yesterday I described several, eh, unique capabilities pioneered by the Obama campaign in the area of campaign contributions.
Among them, failure to do even basic credit-card validation; accepting untraceable prepaid credit cards; and sharing donor lists with suspect groups like ACORN. Heck, Barack's campaign wouldn't even share those lists with Hillary!
Anyhow, an anonymous tipster mentioned that checking out the source code of the Obama donation website.
(Excerpt) Read more at israpundit.com ...
Seems strange - if you are going to set ip addresses to a specific value everytime - why not do that on the server side rather than setting something like that on the client side.
Anyone try putting in a faked credit card with a negative number in the other field? Might pull money from his campaign if they missed that little credit processor trick.
This is simply a method to capture the IP address of the person visiting. When the page loads, a script captures the requesters IP address and loads the field. Nothing sinister about this.
The first poster is right - this should be done server side. No need to include as a “hidden” client side variable. Heck, it’s extra work.
I literally could re-post that form and overload that variable with any address I wanted.
At best, this is extraordinarily sloppy coding.
If accurate logs were kept, I would hardly be shocked to see large amounts of foreign IP address blocks.
It’s hard to tell without seeing the validation processing on the server side, but by constructing the page in this way, it becomes very easy to create a fake form that can submit false information directly to the payment processor.
To create your own donation page, it’s just a matter of copying the existing form, swapping the fields that are generated on the fly (the Referrer, IP and Country fields, perhaps?) and hard coding them to another value.
Once that’s done, you’re all set to donate using falsified info.
Ideally, their website would crosscheck the ip address coming from the browser and the ip address coming from the form (immediate red flag), but I’m not going to make a donation to figure that part out. :-)
This paranoid BS. If you actually go to Obama’s site and list the source, you will see that the IP in that field is YOUR IP not some random fake IP.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.