Posted by "Richard Lynch" on 10/07/05 23:56

On Thu, October 6, 2005 4:52 am, Ragnar wrote:
Everything you are trying to do with the cURL, multiple pages, and
whatnot scares the bejesus out of me...

Especially that you seem to be passing people's credit card numbers
around in this manner. [shudder]

> I did see that there is a FOLLOWLOCATION option you can set in cURL
> when you
> do you request, and though "wicked, just what I needed" only to find
> out
> that it's not working (probably because I understand what it does
> wrong).

Most definitely you mis-understood what it does.

Here's what it REALLY does:

Suppose when cURL loads up the URL you ask for, it gets this back:

HTTP 302 Resource moved
Location: http://example.com/new_location_for_it.htm

If you have FOLLOWLOCATION set to 1, then cURL is just gonna go ahead
and request the new Location: and get you the damn answer you asked
for.

If you have it set to 0, you only get back the output from the 302
page -- So you can figure out exactly what the server is doing,
bouncing you around from page to page, with all these silly Location:
headers, chewing up valuable HTTP connection resources, and basically
putting a big server burden on whatever you are trying to get to.

[Actually, if HTTP/1.1 is being used, and Keep-alive is working
properly on all fronts, the burden is not so huge... But that's not a
"given" for most servers/software today.]

> Pretty pretty please if anyone knows a solution for the above, let me
> know.

So I don't have any answer for what you're trying to do, except to sit
down and re-think all the bouncing around of data you're doing, and
most importantly where/how the credit card numbers are being
stored/transmitted, even in such temporary things as RAM, which is
swapped to hard drive, which is susceptible to attack.

On most shared servers, putting credit card info in SESSION data is
Really Bad Idea (tm) as every other user on the shared system can
troll through your session data with little to no effort.

> Oh, and I'd also like to add that the information I am trying to get
> to the
> 3rd page in the example is sensitive (Credit Card details etc.), so
> $_GET
> and $_COOKIE are out of the question.

This statement alone makes me think that you believe that $_POST is
somehow "safer" than $_GET and $_COOKIE.

Please purge that idea right out of your head this instant.

By the time you are on your PHP script, talking to some other server,
the data you send to/from that other server, via GET, POST, or COOKIE
is no more or less secure in any of the three.

POST data from the browser is only 1/100000000th "more secure" than
GET in that any idiot can see the "Location" URL and play with it, and
it takes a tenth of a clue to do "Save As.." and muck with the <INPUT
tags to change POST data...

As an exercise, please try this yourself:

Surf to some page that has a FORM on it.
Save As... to your hard drive.
Change the <INPUT tags to whatever you think will cause "interesting"
results on that server.
Open that file in your browser and click on the "Submit" button.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]