Article:  |
Ten Security Checks for PHP, Part 1 | |
| Subject: | Register Globals on | |
| Date: | 2003-05-26 11:13:56 | |
| From: | anonymous2 | |
|
Response to: Register Globals on
|
||
| Using POST instead of GET does not secure any script at all. Imagine creating your custom form on your local machine and directing the action to http://www.somwhere.net/someaction.php | ||
Showing messages 1 through 3 of 3.
-
Register Globals on
2007-03-01 11:52:54 andrwe [Reply | View]
-
Register Globals on
2007-03-01 14:10:51 ClancyMalcolm [Reply | View]
The value of $_SERVER['HTTP_REFERER'] comes from the Referer header in the HTTP request constructed by the client software. If the client is a regular browser, the referer will probably be set correctly, but the referer request header could be forged by a malicious user.
Clancy
$referer = $_SERVER['HTTP_REFERER'];
if ($referer != "http://www.domain.com/form.html") {
echo "nice try!";
} else {
process_form();
}
Any downside to that (other than having to change the URL upon upload)?