Article:  |
Ten Security Checks for PHP, Part 1 | |
| Subject: | Register Globals on | |
| Date: | 2003-05-26 04:42:37 | |
| From: | anonymous2 | |
|
Response to: Register Globals on
|
||
|
Thanks for the reply.. That means that if and only if the data is being passed vai GET method, the question of security in regard to register globals on, comes into play.. what if the method used is POST?
|
||
Showing messages 1 through 4 of 4.
-
Register Globals on
2003-05-26 11:13:56 anonymous2 [Reply | View]
Using POST instead of GET does not secure any script at all. Imagine creating your custom form on your local machine and directing the action to http://www.somwhere.net/someaction.php -
Register Globals on
2007-03-01 11:52:54 andrwe [Reply | View]
My method for securing where POST data comes from is thus:
$referer = $_SERVER['HTTP_REFERER'];
if ($referer != "http://www.domain.com/form.html") {
echo "nice try!";
} else {
process_form();
}
Any downside to that (other than having to change the URL upon upload)? -
Register Globals on
2007-03-01 14:10:51 ClancyMalcolm [Reply | View]
The value of $_SERVER['HTTP_REFERER'] comes from the Referer header in the HTTP request constructed by the client software. If the client is a regular browser, the referer will probably be set correctly, but the referer request header could be forged by a malicious user.
Clancy
