|
|
Posted by Scott Noyes on 09/14/05 22:15
> Suppose you have a form that posts set hidden values. A malicious user
> could modify the URI to change those values.
A malicious user could just as easily modify the http header that sets
the POST, or the cookie that sets the COOKIE, or whatever. In other
words, if it comes from the user, it could have been tampered with.
> Which raises the question, in the scenario above, you may have an identical
> 'post' value and 'get' value submitted to the same page. Which takes
> precidence in $_REQUEST?
That is configurable in php.ini (I think). By default, COOKIE
overwrites POST overwrites GET.
[Back to original message]
|