ID: 26684
Updated by: [EMAIL PROTECTED]
Reported By: telefoontoestel at officepxert dot digitaal dot biz
-Status: Open
+Status: Bogus
Bug Type: Variables related
Operating System: Linux 8.5.3-STABLE #3
PHP Version: 4.3.4
New Comment:
Uhm? This has nothing to do with PHP. It's the browser that sends the
POST request; PHP only handles the POST request and there is no reason
it should deny it if it comes from a 'different' server. It's up to the
programmer to guard for this...this is just a basic feature of the
"www".
Previous Comments:
------------------------------------------------------------------------
[2003-12-21 12:04:37] telefoontoestel at officepxert dot digitaal dot
biz
Description:
------------
It is possible to post data to an script on an external server. I find
this a huge bug in the php api, because of this harmfull persons can
add/alter any kind of data to a script. Will this be resolved in a
future PHP version?
Reproduce code:
---------------
[external server]
<?php
ini_set("register_globals", 1);
$variabel = $_POST["test_var"];
if(!empty($variabel)){
print "This is the bug I'm talking about";
}
?>
[other server]
<form method="post"
action="http://my.external.site/externalphpscript.php";>
<input type="text" name="test_var">
<input type="submit" value="Test">
</form>
Expected result:
----------------
This is the bug I'm talking about
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=26684&edit=1
