On Fri, 5 Apr 2002, Chris Boget wrote:
> For security, you can modify your code so that you check
> the $_POST elements instead of using the magic globals.  
> That's all well and good.
> However, someone copy and save your HTML to their local
> machine, change some values, change the "Action" page of the 
> form to be http://www.yoursite.com/form_page.php instead of 
> "form_page.php".  You'll be checking the $_POST elements
> but you won't have any idea that they were changed and posted
> from the user's local machine.
> Is there any way to determine from where the post request came
> from w/o using http_referer?

No, nor with it. Someone who wants to mess with you can supply any HTTP
referer they want to (using something like 'curl -e' or just creating the 
request by hand in a text editor).

You can never assume that submitted data is benign or untampered. 

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to