[nycphp-talk] Forms & Refresh Question & General Form Security
Chris Shiflett
shiflett at php.net
Fri May 16 14:30:55 EDT 2003
--- "Bhulipongsanon, Pinyo" <Pinyo.Bhulipongsanon at usa.xerox.com> wrote:
> > You do realize you're basically trusting the user with the value of
> > status, right? I hope you're not using that for anything important.
>
> First, can't we improve this with session variable instead of $_GET
> variable?
Yes, good suggestion.
> Second, you can always check for a valid $HTTP_REFERRER
The Referer header is not required by the HTTP specification, even in 1.1, so
relying on that is not necessarily a good idea. You will basically render your
application useless to any Web client that does not provide this *optional*
HTTP header. If you want to do that, it's fine, so long as you are taking that
caveat into consideration.
Chris
More information about the talk
mailing list