[UPHPU] receiving with $_REQUEST

Sean sean at lookin3d.com
Thu Feb 28 15:40:39 MST 2008


I agree, also if you actually look at the request being sent to the 
server, the only difference between POST and GET is on is in the header 
where as the other is in the body.

The only security it adds is a slight obscurity.

Eric Faerber wrote:
> Richard K Miller wrote:
>> Agreed.
>>
>> For example, you might offer a one-click purchase button:
>>
>> <form action="https://www.yourcompany.com/cart.php" method="post">
>> <input type="hidden" name="product_id" value="12345" />
>> <input type="submit" name="submit" value="Buy this product now" />
>> </form>
>>
>> If you use $_REQUEST instead of $_POST, then visiting the following 
>> URL will also cause your product to be purchased:
>>
>> https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now 
>>
>>
>> Now, let's say a hacker embeds the above URL in his MySpace page as 
>> an image.
>>
>> <img 
>> src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now" 
>> />
>>
>> Any of your previously authenticated customers who visit this 
>> hacker's MySpace page will automatically purchase your product 
>> without knowing it.
>>
>> This is called cross-site request forgery (CSRF):
>> http://en.wikipedia.org/wiki/Cross-site_request_forgery
> You could also write javascript to POST data on a page without the 
> user knowing it. This is a little more difficult to achieve but it's 
> still easy.
>
> IMO using $_REQUEST is fine as long as you sanitize the data and make 
> sure that the data being submitted wasn't submitted without user 
> interaction. You can create keys for forms that is stored in the 
> session so when the form is submitted the session key has to match 
> what was submitted in the form. Makes it impossible for forms to be 
> submitted without the user knowing.
>
> _______________________________________________
>
> UPHPU mailing list
> UPHPU at uphpu.org
> http://uphpu.org/mailman/listinfo/uphpu
> IRC: #uphpu on irc.freenode.net
>
>

-- 

Sean Thayne,
Exit12



More information about the UPHPU mailing list