开发者

can you send $_POST to an externally hosted php file?

This is a question of security, so I am not looking for a solution on how to do this, I just want to make sure that it cannot be done.

Let's say I have a file called login.php and it's hosted online and running live, let's say on http://www.rimmer.sk/login.php

Now开发者_开发问答, let's image this file looks like this:

<?php
if (isset($_POST['register'])){
   echo 'all is done !';
}
?>

Question: Can you, externally, send $_POST['register'] to my file, or can this be done only internally from files hosted within the same virtualhost?


It can be done. Everyone can send you a POST (or a GET, for that matter) request. There is no limit that forbids requests from outside your virtualhost.

(maybe not for you, maybe it is, but not everyone can set your $_SESSION, so an external domain cannot alter that)


In short yes it can be posted from the external site.


Yes this can be done very easily. Take a look at: http://php.net/manual/en/book.curl.php


Of course I can post from an external location, after all that's what the user's browser does when they submit the form. I can therefore write a script to post the register field to your server with ease.

What use case are you imagining? There are lots of security options (firewalls etc) but without knowing what you are trying to achieve, it's hard to give specifics.

One way of denying script attacks is to generate one time passwords on the server that you send to the browser with each registration form, then when you get a response back, check that the OTP is valid. This at least adds another layer of security.

But as I say ... without knowing more it's hard to be specific.


or can this be done only internally from files hosted within the same virtualhost?

Quite contrary. This cannot be done only internally. In fact, a form being sent not from server internals but from the user's browser

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜