[UPHPU] receiving with $_REQUEST
std3rr at gmail.com
Thu Feb 28 17:00:20 MST 2008
On Thu, Feb 28, 2008 at 3:56 PM, Wade Preston Shearer <lists at wadeshearer.com>
> I wasn't referring to CSRF. I was showing how the shopping cart/
> MySpace example wasn't a valid reason against using REQUEST as the
> hacker can fake-post to the shopping cart just as east as he can fake-
> get to the shopping cart, both without user interaction.
The example was one of CSRF. CSRF would use the already logged-in user's
(that you left the <img> comment) auth. Meaning that, although the hacker
was the one who added the <img>, the system thinks YOU'RE posting the form.
Thus, you can change passwords, delete accounts, whatever else is allowed
via GET and the user's authentication. Hope that's a better explanation.
"Insert pseudo-insightful quote here." - Some Guy
More information about the UPHPU