[UPHPU] receiving with $_REQUEST

Eric Faerber php at ericfaerber.com
Thu Feb 28 15:01:41 MST 2008

Richard K Miller wrote:
> Agreed.
> For example, you might offer a one-click purchase button:
> <form action="https://www.yourcompany.com/cart.php" method="post">
> <input type="hidden" name="product_id" value="12345" />
> <input type="submit" name="submit" value="Buy this product now" />
> </form>
> If you use $_REQUEST instead of $_POST, then visiting the following 
> URL will also cause your product to be purchased:
> https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now 
> Now, let's say a hacker embeds the above URL in his MySpace page as an 
> image.
> <img 
> src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now" 
> />
> Any of your previously authenticated customers who visit this hacker's 
> MySpace page will automatically purchase your product without knowing it.
> This is called cross-site request forgery (CSRF):
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
You could also write javascript to POST data on a page without the user 
knowing it. This is a little more difficult to achieve but it's still easy.

IMO using $_REQUEST is fine as long as you sanitize the data and make 
sure that the data being submitted wasn't submitted without user 
interaction. You can create keys for forms that is stored in the session 
so when the form is submitted the session key has to match what was 
submitted in the form. Makes it impossible for forms to be submitted 
without the user knowing.

More information about the UPHPU mailing list