Jump to content


Photo

Verify sender of $_POST


  • Please log in to reply
5 replies to this topic

#1 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 08 September 2006 - 09:01 AM

Anyone know of a way I haven't thought of to verify the sender of $_POST data to be local script?

Something that can't (or is very hard to ) be spoofed?

I don't see any way, but I might be overlooking something, so I thought I'd try...

#2 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 08 September 2006 - 09:03 AM

If it's local, don't use $_POST.

There will be recommendations for $_SERVER['HTTP_REFERER'] and/or $_SERVER['REMOTE_ADDR'] but they are very unreliable.

#3 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 08 September 2006 - 12:13 PM

There will be recommendations for $_SERVER['HTTP_REFERER'] and/or $_SERVER['REMOTE_ADDR'] but they are very unreliable.


No there won't, because I said 'hard to spoof' and everybody knows those are easy to spoof.

If it's local, don't use $_POST.


I'm sorry I wasn't very clear. I wanted something like HTTP_REFERER but more reliable. I was going to use it to verify that the sending of data was provoked by my own application, but now that I think of it there are probably better ways to do that. In short: never mind.

#4 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 08 September 2006 - 12:45 PM

... but now that I think of it there are probably better ways to do that.


Care to share?
Legend has it that reading the manual never killed anyone.
My site

#5 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 08 September 2006 - 04:48 PM

There will be recommendations for $_SERVER['HTTP_REFERER'] and/or $_SERVER['REMOTE_ADDR'] but they are very unreliable.


No there won't, because I said 'hard to spoof' and everybody knows those are easy to spoof.

Ha, you've been here longer than I have, yet you say that.

If it's local, don't use $_POST.


I'm sorry I wasn't very clear. I wanted something like HTTP_REFERER but more reliable. I was going to use it to verify that the sending of data was provoked by my own application, but now that I think of it there are probably better ways to do that. In short: never mind.

Still stands.. you own application is instigating the POST data.. so why use POST in the first place? Use SESSION or better yet a database table.

#6 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 08 September 2006 - 05:39 PM

Ha, you've been here longer than I have, yet you say that.


I won't go into that. Suffice it to say you are wrong. Either you don't understand me or you're an idiot, judging by the childishness of above comment I am leaning towards the latter.

That is ALL I'm saying in this thread. [adds Jenk to looooong personal blacklist  :P]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users