[UPHPU] receiving with $_REQUEST
Richard K Miller
richardkmiller at gmail.com
Thu Feb 28 16:40:51 MST 2008
>> This is called cross-site request forgery (CSRF):
>> http://en.wikipedia.org/wiki/Cross-site_request_forgery
> You could also write javascript to POST data on a page without the
> user knowing it. This is a little more difficult to achieve but it's
> still easy.
How do you do this? As far as I know, XMLHttpRequest() doesn't allow
cross-domain requests. I don't know of any other way to perform a POST
without user intervention.
This article by Chris Shiflett (author of PHP Security) was helpful,
especially comments 4, 5, 37, and 38.
http://shiflett.org/articles/cross-site-request-forgeries
More information about the UPHPU
mailing list