[nycphp-talk] Forms & Refresh Question & General Form Security
Chris Shiflett
shiflett at php.net
Fri May 16 14:30:55 EDT 2003
--- "Bhulipongsanon, Pinyo" <Pinyo.Bhulipongsanon at usa.xerox.com> wrote:
> > You do realize you're basically trusting the user with the value of
> > status, right? I hope you're not using that for anything important.
>
> First, can't we improve this with session variable instead of $_GET
> variable?
Yes, good suggestion.
> Second, you can always check for a valid $HTTP_REFERRER
The Referer header is not required by the HTTP specification, even in 1.1, so
relying on that is not necessarily a good idea. You will basically render your
application useless to any Web client that does not provide this *optional*
HTTP header. If you want to do that, it's fine, so long as you are taking that
caveat into consideration.
Chris
More information about the talk
mailing list
Automatic Email Organization without missing anything!