[UPHPU] receiving with $_REQUEST
php at ericfaerber.com
Thu Feb 28 15:01:41 MST 2008
Richard K Miller wrote:
> For example, you might offer a one-click purchase button:
> <form action="https://www.yourcompany.com/cart.php" method="post">
> <input type="hidden" name="product_id" value="12345" />
> <input type="submit" name="submit" value="Buy this product now" />
> If you use $_REQUEST instead of $_POST, then visiting the following
> URL will also cause your product to be purchased:
> Now, let's say a hacker embeds the above URL in his MySpace page as an
> Any of your previously authenticated customers who visit this hacker's
> MySpace page will automatically purchase your product without knowing it.
> This is called cross-site request forgery (CSRF):
knowing it. This is a little more difficult to achieve but it's still easy.
IMO using $_REQUEST is fine as long as you sanitize the data and make
sure that the data being submitted wasn't submitted without user
interaction. You can create keys for forms that is stored in the session
so when the form is submitted the session key has to match what was
submitted in the form. Makes it impossible for forms to be submitted
without the user knowing.
More information about the UPHPU