[nycphp-talk] PHP Pentration Discussion
Adam Maccabee Trachtenberg
adam at trachtenberg.com
Sat May 28 10:56:10 EDT 2005
On Sat, 28 May 2005, Jon Niola wrote:
> Thinking about that article I was wondering, why not just check the
> HTTP_REFERER to make sure the form is being submitted from server as
> opposed to someone storing it locally and editing vars?
>
> Might not be too bad an idea for us to put together a security page
> with best practices, do's and don't etc. It would be a valuable
> resource for even the seasoned coders. Some of the best coders I know
> take security for granted.
I don't mean to be rude, but if you really think checking HTTP_REFERER
is a good way to protect against this type of attack, you probably
shouldn't be working on a security "best practices" page.
This value is easily spoofed because an attacker can manually set the
HTTP header herself and the value is easily known. See
http://shiflett.org/archive/96.
-adam
--
adam at trachtenberg.com | http://www.trachtenberg.com
author of o'reilly's "upgrading to php 5" and "php cookbook"
avoid the holiday rush, buy your copies today!
More information about the talk
mailing list
Automatic Email Organization without missing anything!