[UPHPU] receiving with $_REQUEST

Richard K Miller richardkmiller at gmail.com
Thu Feb 28 16:31:34 MST 2008


On Feb 28, 2008, at 2:46 PM, Wade Preston Shearer wrote:

>> For example, you might offer a one-click purchase button:
>>
>> <form action="https://www.yourcompany.com/cart.php" method="post">
>> <input type="hidden" name="product_id" value="12345" />
>> <input type="submit" name="submit" value="Buy this product now" />
>> </form>
>>
>> If you use $_REQUEST instead of $_POST, then visiting the following  
>> URL will also cause your product to be purchased:
>>
>> https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
>>
>> Now, let's say a hacker embeds the above URL in his MySpace page as  
>> an image.
>>
>> <img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now 
>> " />
>>
>> Any of your previously authenticated customers who visit this  
>> hacker's MySpace page will automatically purchase your product  
>> without knowing it.
>>
>> This is called cross-site request forgery (CSRF):
>> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
> While requiring slightly more work for the hacker, how is this any  
> different from you using $_POST and the hacker putting a button on  
> his site that runs a script that posts straight to your script?

In my scenario, the user has to only visit the MySpace page. In your  
scenario, the user has to click a submit button.




More information about the UPHPU mailing list