[UPHPU] receiving with $_REQUEST

Craig Jackson CJackson at cirris.com
Thu Feb 28 15:01:23 MST 2008

>> For example, you might offer a one-click purchase button:
>> <form action="https://www.yourcompany.com/cart.php" method="post">
>> <input type="hidden" name="product_id" value="12345" />
>> <input type="submit" name="submit" value="Buy this product now" />
>> </form>
>> If you use $_REQUEST instead of $_POST, then visiting the following  
>> URL will also cause your product to be purchased:
>> https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
>> Now, let's say a hacker embeds the above URL in his MySpace page as  
>> an image.
>> <img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now 
>> " />
>> Any of your previously authenticated customers who visit this  
>> hacker's MySpace page will automatically purchase your product  
>> without knowing it.
>> This is called cross-site request forgery (CSRF):
>> http://en.wikipedia.org/wiki/Cross-site_request_forgery

>While requiring slightly more work for the hacker, how is this any  
>different from you using $_POST and the hacker putting a button on his  
>site that runs a script that posts straight to your script?

The only difference I see is the more work on the hacker's part. In the end, GET's or POST's can be hacked into. But, GETs are easier to find holes because it is posted in the address. I think the main problem with $_REQUEST is that (like it was mentioned before) you can accidently grab a cookie. Personally, I like to know I am grabbing from a GET, POST, or COOKIE for future reference, so that is why I do not use $_REQUEST.

More information about the UPHPU mailing list