[UPHPU] receiving with $_REQUEST
Richard K Miller
richardkmiller at gmail.com
Thu Feb 28 14:26:17 MST 2008
>>
>> As long as there are no security problems, isn't this flexibility a
>> good thing?
>>
>
> Not at all. There are reasons why the RFC defines GET, POST, PUT,
> DELETE,
> etc, differently. You should know which method is being used, and you
> shouldn't access them all the same way. There's absolutely no
> reason for
> $_REQUEST to even exist in PHP. Read the RFC [1], please. There's no
> excuse for a web developer not to have the HTTP RFC down pat.
Agreed.
For example, you might offer a one-click purchase button:
<form action="https://www.yourcompany.com/cart.php" method="post">
<input type="hidden" name="product_id" value="12345" />
<input type="submit" name="submit" value="Buy this product now" />
</form>
If you use $_REQUEST instead of $_POST, then visiting the following
URL will also cause your product to be purchased:
https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
Now, let's say a hacker embeds the above URL in his MySpace page as an
image.
<img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
" />
Any of your previously authenticated customers who visit this hacker's
MySpace page will automatically purchase your product without knowing
it.
This is called cross-site request forgery (CSRF):
http://en.wikipedia.org/wiki/Cross-site_request_forgery
More information about the UPHPU
mailing list