HTTP_REFERRER can be spoofed, so don't rely on it for much.
----- Original Message -----
From: "John Nichel" <[EMAIL PROTECTED]>
To: "Paul Nicholson" <[EMAIL PROTECTED]>
Cc: "Johnson, Kirk" <[EMAIL PROTECTED]>; "PHP General"
Sent: Friday, October 25, 2002 2:07 PM
Subject: Re: [PHP] extract($_POST)
> And if you want to take it a step further, to ensure that the values are
> submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if
> it's coming from your domain | page.
> Paul Nicholson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote:
> >>>And what should these precautions be? If a malicious user can submit
> >>>his own form and you are looking for a POST variable, how can you
> >>>ensure that $admin came from your form and not that user's?
> >>The problem is when a cracker uses form variables in an attempt to set
> >>values of "flag" variables kept only in the session, for example,
> >>As far as the form variables *you* put in your form, it doesn't matter
> >>whether the user submits your form or a form they made themselves. Those
> >>form variables are just data you are trying to collect.
> >>With register_globals on, PHP takes *all* variables (GET, POST, COOKIE)
> >>received from the client and assigns them to global variables. So if the
> >>user posts a value for $isAdmin, she can give herself admin privileges.
> >>The key is to retrieve *only* the form variables *you* put in the form
> >>the the $_POST array. So don't write a loop and grab *everything* from
> > Exactly! Not only should you retrieve *only* the vars you need from
> > you should also filter them to make sure they contain what you're
> > for.....is_alpha($_POST['name']). And no, php doesn't have an 'is_alpha'
> > function....I created that as part of a filtering class.
> > ~Paul
> > - --
> > ~Paul Nicholson
> > Design Specialist @ WebPower Design
> > "The web....the way you want it!"
> > [EMAIL PROTECTED]
> > "It said uses Windows 98 or better, so I loaded Linux!"
> > Registered Linux User #183202 using Register Linux System # 81891
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (GNU/Linux)
> > Comment: For info see http://www.gnupg.org
> > iD8DBQE9uXoKDyXNIUN3+UQRAkugAJ0aftPjxhmV0tSk125UZSTCuWp47QCfaKJ7
> > z5+ja1P4NtWUwVMCMsFVt2M=
> > =UG2o
> > -----END PGP SIGNATURE-----
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php