This is called cross-site request forgery (CSRF):
http://en.wikipedia.org/wiki/Cross-site_request_forgery
You could also write javascript to POST data on a page without the
user knowing it. This is a little more difficult to achieve but it's
still easy.
How do you do this? As far as I know, XMLHttpRequest() doesn't allow
cross-domain requests. I don't know of any other way to perform a POST
without user intervention.
This article by Chris Shiflett (author of PHP Security) was helpful,
especially comments 4, 5, 37, and 38.
http://shiflett.org/articles/cross-site-request-forgeries
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
