By rick
via roshanbh.com.np
Published: Jun 23 2008 / 13:02
HTTP POST request from outside domain is one of the way of attacking your website. A intruder can use JavaScript in other domain or localhost to send the repetitive POST request to your web page containing PHP script. We must prevent this kind of cross domain form posting which might be harmful of our website.
Comments
isnoop replied ago:
I like the basic premise, but this article overlooks some major issues with the HTTP_REFERRER approach: Users with referrers turned off will fail the test as described. Also HTTP_REFERRER is set by the user so an attack could easily be launched with a faked referrer that tricked your script. For example, many Wordpress comment spam attacks include faked referrers.
jgmurray replied ago:
Bad advice, from a 'PHP Professional'. How many people are going to use this an end up getting all the spam they can handle on their (or worse, their client's) website.
Sven Arild Helleland replied ago:
As mentioned, NEVER trust or rely on variables that can be altered by the user.
Not only are an approach like this going to alienate valid users (not all browsers populate the HTTP_REFERRER, and you can also turn it off), but it will not stopp users with bad intentions anyway as its the easiest thing to fake.
Voters For This Link (8)
Voters Against This Link (7)