I have a routine that updates information on a web page.

The page is created dynamically through perl with the data stored in MySQL database.

This data can be updated online by any number of managers around the world (using javascript / perl to update the mysql) … the problem I have is that the form is getting occasionally hijacked and spoofed and some idiot somewhere is changing the data … I can see them doing it as I have put email feedback in the perl script which tells me the referrer and IP address of the person running my update script.

There is an update button on the website … which pops up a form asking for username and password .. this then makes visible another form in a div (ok, I agree, not great security here) … this form is then submitted via ajax with the form values and updates the mysql with a perl script.

The perl script checks for referrer being the correct domain – but of course this can be spoofed .. which is what is happening now.

As javascript is visible to anyone I am wondering what is a good way to protect the perl script if checking referrer is failing because of the spoofing.