[UPHPU] receiving with $_REQUEST
Wade Preston Shearer
lists at wadeshearer.com
Thu Feb 28 14:46:40 MST 2008
> For example, you might offer a one-click purchase button:
> <form action="https://www.yourcompany.com/cart.php" method="post">
> <input type="hidden" name="product_id" value="12345" />
> <input type="submit" name="submit" value="Buy this product now" />
> If you use $_REQUEST instead of $_POST, then visiting the following
> URL will also cause your product to be purchased:
> Now, let's say a hacker embeds the above URL in his MySpace page as
> an image.
> <img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
> " />
> Any of your previously authenticated customers who visit this
> hacker's MySpace page will automatically purchase your product
> without knowing it.
> This is called cross-site request forgery (CSRF):
While requiring slightly more work for the hacker, how is this any
different from you using $_POST and the hacker putting a button on his
site that runs a script that posts straight to your script?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2425 bytes
Desc: not available
Url : http://uphpu.org/pipermail/uphpu/attachments/20080228/92b94a4f/smime-0001.bin
More information about the UPHPU