Women in Technology

Hear us Roar



Article:
  Ten Security Checks for PHP, Part 1
Subject:   Register Globals on
Date:   2003-05-26 11:13:56
From:   anonymous2
Response to: Register Globals on

Using POST instead of GET does not secure any script at all. Imagine creating your custom form on your local machine and directing the action to http://www.somwhere.net/someaction.php
Full Threads Newest First

Showing messages 1 through 4 of 4.

  • Register Globals on
    2003-09-26 17:58:53  anonymous2 [View]

    how do you turn it on
  • Register Globals on
    2007-03-01 11:52:54  andrwe [View]

    My method for securing where POST data comes from is thus:

    $referer = $_SERVER['HTTP_REFERER'];
    if ($referer != "http://www.domain.com/form.html") {
    echo "nice try!";
    } else {
    process_form();
    }

    Any downside to that (other than having to change the URL upon upload)?
    • Register Globals on
      2007-03-01 14:10:51  Clancy Malcolm | O'Reilly Author [View]

      The value of $_SERVER['HTTP_REFERER'] comes from the Referer header in the HTTP request constructed by the client software. If the client is a regular browser, the referer will probably be set correctly, but the referer request header could be forged by a malicious user.

      Clancy
    • Register Globals on
      2008-07-01 11:13:49  davidrrm [View]

      That's certainly not a certain test though. I could create a program to do the post and it would set HTTP_REFERER to what you are looking for.