Nobody Special wrote:
With curl I can automate pretty much any web site, you can't tell the difference between it and somebody using a browser. You are better off worrying about sanatizing the incoming data then securing the form. Let your session handling and login stuff take care of that.
This isn't about sanitizing data. This is about making a user unknowingly make a request to another site.
Yes, you can automate things with cURL, but the requests are coming from your server, not the user you're trying to abuse. You could simulate their cookies, but you'd have to get them first, which isn't always easy or possible. With a CSRF attack, you have the user make the request and send their cookies, data, whatever, without them even knowing it.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
