On Fri, 5 Apr 2002, Chris Boget wrote:
> For security, you can modify your code so that you check
> the $_POST elements instead of using the magic globals.
> That's all well and good.
> However, someone copy and save your HTML to their local
> machine, change some values, change the "Action" page of the
> form to be http://www.yoursite.com/form_page.php instead of
> "form_page.php". You'll be checking the $_POST elements
> but you won't have any idea that they were changed and posted
> from the user's local machine.
> Is there any way to determine from where the post request came
> from w/o using http_referer?
No, nor with it. Someone who wants to mess with you can supply any HTTP
referer they want to (using something like 'curl -e' or just creating the
request by hand in a text editor).
You can never assume that submitted data is benign or untampered.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php