Richard K Miller wrote:
Agreed.
For example, you might offer a one-click purchase button:
<form action="https://www.yourcompany.com/cart.php"; method="post">
<input type="hidden" name="product_id" value="12345" />
<input type="submit" name="submit" value="Buy this product now" />
</form>
If you use $_REQUEST instead of $_POST, then visiting the following
URL will also cause your product to be purchased:
https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
Now, let's say a hacker embeds the above URL in his MySpace page as an
image.
<img
src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now";
/>
Any of your previously authenticated customers who visit this hacker's
MySpace page will automatically purchase your product without knowing it.
This is called cross-site request forgery (CSRF):
http://en.wikipedia.org/wiki/Cross-site_request_forgery
You could also write javascript to POST data on a page without the user
knowing it. This is a little more difficult to achieve but it's still easy.
IMO using $_REQUEST is fine as long as you sanitize the data and make
sure that the data being submitted wasn't submitted without user
interaction. You can create keys for forms that is stored in the session
so when the form is submitted the session key has to match what was
submitted in the form. Makes it impossible for forms to be submitted
without the user knowing.
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
