[UPHPU] receiving with $_REQUEST
Richard K Miller
richardkmiller at gmail.com
Thu Feb 28 16:31:34 MST 2008
On Feb 28, 2008, at 2:46 PM, Wade Preston Shearer wrote:
>> For example, you might offer a one-click purchase button:
>> <form action="https://www.yourcompany.com/cart.php" method="post">
>> <input type="hidden" name="product_id" value="12345" />
>> <input type="submit" name="submit" value="Buy this product now" />
>> If you use $_REQUEST instead of $_POST, then visiting the following
>> URL will also cause your product to be purchased:
>> Now, let's say a hacker embeds the above URL in his MySpace page as
>> an image.
>> <img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
>> " />
>> Any of your previously authenticated customers who visit this
>> hacker's MySpace page will automatically purchase your product
>> without knowing it.
>> This is called cross-site request forgery (CSRF):
> While requiring slightly more work for the hacker, how is this any
> different from you using $_POST and the hacker putting a button on
> his site that runs a script that posts straight to your script?
In my scenario, the user has to only visit the MySpace page. In your
scenario, the user has to click a submit button.
More information about the UPHPU