--- [EMAIL PROTECTED] wrote:
> If it's bulletproof, then I figured this could help
> some of you out. If not, I welcome comments (I'm a
> little bit hesitant of calling things 'bulletproof').
It's not bulletproof. :-)
> if((count($_POST) > 0) &&
> (!stristr($_SERVER["HTTP_REFERER"],
> $http_referer))) {
> unset($_POST);
> $evil = "postedfromoutsidepage";
> }
If this page is located at http://www.example.org/foo.php,
and you are trying to ensure that the data is being posted
from http://www.example.org/bar.php consider the following:
--------------------
# telnet www.example.org 80
Trying 192.0.34.166...
Connected to www.example.org (192.0.34.166).
Escape character is '^]'.
POST /foobar.php HTTP/1.1
Host: www.example.org
Referer: http://www.example.org/bar.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
varname=any_value_i_choose
--------------------
Someone can use this method to bypass your Referer header
check and post any data they choose.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
