[UPHPU] receiving with $_REQUEST

Richard K Miller richardkmiller at gmail.com
Thu Feb 28 14:26:17 MST 2008


>>
>> As long as there are no security problems, isn't this flexibility a
>> good thing?
>>
>
> Not at all.  There are reasons why the RFC  defines GET, POST, PUT,  
> DELETE,
> etc, differently.  You should know which method is being used, and you
> shouldn't access them all the same way.  There's absolutely no  
> reason for
> $_REQUEST to even exist in PHP.  Read the RFC [1], please.  There's no
> excuse for a web developer not to have the HTTP RFC down pat.

Agreed.

For example, you might offer a one-click purchase button:

<form action="https://www.yourcompany.com/cart.php" method="post">
<input type="hidden" name="product_id" value="12345" />
<input type="submit" name="submit" value="Buy this product now" />
</form>

If you use $_REQUEST instead of $_POST, then visiting the following  
URL will also cause your product to be purchased:

https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now

Now, let's say a hacker embeds the above URL in his MySpace page as an  
image.

<img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now 
" />

Any of your previously authenticated customers who visit this hacker's  
MySpace page will automatically purchase your product without knowing  
it.

This is called cross-site request forgery (CSRF):
http://en.wikipedia.org/wiki/Cross-site_request_forgery



More information about the UPHPU mailing list