On Fri, 5 Apr 2002, Chris Boget wrote: > For security, you can modify your code so that you check > the $_POST elements instead of using the magic globals. > That's all well and good. > However, someone copy and save your HTML to their local > machine, change some values, change the "Action" page of the > form to be http://www.yoursite.com/form_page.php instead of > "form_page.php". You'll be checking the $_POST elements > but you won't have any idea that they were changed and posted > from the user's local machine. > Is there any way to determine from where the post request came > from w/o using http_referer?
No, nor with it. Someone who wants to mess with you can supply any HTTP referer they want to (using something like 'curl -e' or just creating the request by hand in a text editor). You can never assume that submitted data is benign or untampered. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
