Women in Technology

Hear us Roar



Article:
  Ten Security Checks for PHP, Part 1
Subject:   Register Globals on
Date:   2003-05-26 04:42:37
From:   anonymous2
Response to: Register Globals on

Thanks for the reply..
That means that if and only if the data is being passed vai GET method, the question of security in regard to register globals on, comes into play..
what if the method used is POST?


Thanks again for the reply


Cheers


Full Threads Newest First

Showing messages 1 through 5 of 5.

  • Register Globals on
    2003-05-26 11:13:56  anonymous2 [View]

    Using POST instead of GET does not secure any script at all. Imagine creating your custom form on your local machine and directing the action to http://www.somwhere.net/someaction.php
    • Register Globals on
      2003-09-26 17:58:53  anonymous2 [View]

      how do you turn it on
    • Register Globals on
      2007-03-01 11:52:54  andrwe [View]

      My method for securing where POST data comes from is thus:

      $referer = $_SERVER['HTTP_REFERER'];
      if ($referer != "http://www.domain.com/form.html") {
      echo "nice try!";
      } else {
      process_form();
      }

      Any downside to that (other than having to change the URL upon upload)?
      • Register Globals on
        2007-03-01 14:10:51  Clancy Malcolm | O'Reilly Author [View]

        The value of $_SERVER['HTTP_REFERER'] comes from the Referer header in the HTTP request constructed by the client software. If the client is a regular browser, the referer will probably be set correctly, but the referer request header could be forged by a malicious user.

        Clancy
      • Register Globals on
        2008-07-01 11:13:49  davidrrm [View]

        That's certainly not a certain test though. I could create a program to do the post and it would set HTTP_REFERER to what you are looking for.