I agree, also if you actually look at the request being sent to the
server, the only difference between POST and GET is on is in the header
where as the other is in the body.
The only security it adds is a slight obscurity.
Eric Faerber wrote:
Richard K Miller wrote:
Agreed.
For example, you might offer a one-click purchase button:
<form action="https://www.yourcompany.com/cart.php"; method="post">
<input type="hidden" name="product_id" value="12345" />
<input type="submit" name="submit" value="Buy this product now" />
</form>
If you use $_REQUEST instead of $_POST, then visiting the following
URL will also cause your product to be purchased:
https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
Now, let's say a hacker embeds the above URL in his MySpace page as
an image.
<img
src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now";
/>
Any of your previously authenticated customers who visit this
hacker's MySpace page will automatically purchase your product
without knowing it.
This is called cross-site request forgery (CSRF):
http://en.wikipedia.org/wiki/Cross-site_request_forgery
You could also write javascript to POST data on a page without the
user knowing it. This is a little more difficult to achieve but it's
still easy.
IMO using $_REQUEST is fine as long as you sanitize the data and make
sure that the data being submitted wasn't submitted without user
interaction. You can create keys for forms that is stored in the
session so when the form is submitted the session key has to match
what was submitted in the form. Makes it impossible for forms to be
submitted without the user knowing.
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
--
Sean Thayne,
Exit12
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
