Ten Security Checks for PHP, Part 1
Subject:   Register Globals on
Date:   2003-05-26 11:13:56
From:   anonymous2
Response to: Register Globals on

Using POST instead of GET does not secure any script at all. Imagine creating your custom form on your local machine and directing the action to
Full Threads Newest First

Showing messages 1 through 4 of 4.

  • Register Globals on
    2003-09-26 17:58:53  anonymous2 [View]

    how do you turn it on
  • Register Globals on
    2007-03-01 11:52:54  andrwe [View]

    My method for securing where POST data comes from is thus:

    $referer = $_SERVER['HTTP_REFERER'];
    if ($referer != "") {
    echo "nice try!";
    } else {

    Any downside to that (other than having to change the URL upon upload)?
    • Register Globals on
      2007-03-01 14:10:51  Clancy Malcolm | O'Reilly Author [View]

      The value of $_SERVER['HTTP_REFERER'] comes from the Referer header in the HTTP request constructed by the client software. If the client is a regular browser, the referer will probably be set correctly, but the referer request header could be forged by a malicious user.

    • Register Globals on
      2008-07-01 11:13:49  davidrrm [View]

      That's certainly not a certain test though. I could create a program to do the post and it would set HTTP_REFERER to what you are looking for.