Well if you disallow post, you will have to use get for things like login in - insecure. And you will be limited to about 1024 bytes of data on most systems and you can't use file uploads.Anyone have any clue why this is the case? Is there a performanceIf it was always enabled, it sure would make a DoS attack easy. I'd just
reason that raw post data must be explicitly enabled, or is it more of
a protective measure for overly permissive beginner scripts?
send lots of huge POST requests to any PHP script on your server. Hope
you have "migs and megs of memories," as Strong Bad would say. :-)
Isn't this potentially a DoS attack vector anyway? I don't need a server
to accept or read my obscenely long POST requests to clog the pipes with
them. Would the proper way to handle this risk be to disallow POST at the
webserver level, or does turning always_populate_raw_post_data off cause
the connection to be automatically dropped after Connection: close?
I guess you would know how to how to create malformed packets. Doing a dos attack on a PHP script that accepts POST you only need about 10 lines of code, don't need to know how to create malformed packets, and you don't waste your own bandwidth.
--
Raditha Dissanayake.
---------------------------------------------
http://www.radinks.com/print/upload.php
SFTP, FTP and HTTP File Upload solutions
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
