[UPHPU] receiving with $_REQUEST

Wade Preston Shearer lists at wadeshearer.com
Thu Feb 28 14:46:40 MST 2008


> For example, you might offer a one-click purchase button:
>
> <form action="https://www.yourcompany.com/cart.php" method="post">
> <input type="hidden" name="product_id" value="12345" />
> <input type="submit" name="submit" value="Buy this product now" />
> </form>
>
> If you use $_REQUEST instead of $_POST, then visiting the following  
> URL will also cause your product to be purchased:
>
> https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
>
> Now, let's say a hacker embeds the above URL in his MySpace page as  
> an image.
>
> <img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now 
> " />
>
> Any of your previously authenticated customers who visit this  
> hacker's MySpace page will automatically purchase your product  
> without knowing it.
>
> This is called cross-site request forgery (CSRF):
> http://en.wikipedia.org/wiki/Cross-site_request_forgery

While requiring slightly more work for the hacker, how is this any  
different from you using $_POST and the hacker putting a button on his  
site that runs a script that posts straight to your script?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2425 bytes
Desc: not available
Url : http://uphpu.org/pipermail/uphpu/attachments/20080228/92b94a4f/smime-0001.bin


More information about the UPHPU mailing list