PHP Security: send POST to same URL = bad?
I had开发者_StackOverflow a response on a question yesterday about sending POST data to the same page with the Post-Redirect-Get pattern like this:
if (isset($_POST['Submit'])) {
// prevent resending data
header("Location: " . $_SERVER['PHP_SELF']);
}
Someone replied: sending data to same PHP page from Javascript, no AJAX or forms
It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.
Now I would like to know what is wrong with this? I want to avoid using a separate page with the confirmation message, because it just breaks the user experience and from a design POV it is a no-go.
It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.
I think the person who said this might have misunderstood either you or web security.
There's nothing wrong with using the same URL for different request methods (GET
, POST
, PUT
, DELETE
, HEAD
etc). In fact, it's a very good idea.
It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.
I rather interpret this sentence that it should not be possible that a GET request on the same URL does not cause the same as a POST request. So checking for $_REQUEST['submit']
instead of implicitly checking $_POST['submit']
or $_SERVER['REQUEST_METHOD']
could be a violation.
Maybe the author did also mean that the form uses some one-time authentication token so that only authenticated requests are permitted.
It seems like the replier didn't think his response through. I would imagine he was thinking there would be some security issues by using $_SERVER["PHP_SELF"], but I can't see how in this case.
As already mentioned, there is nothing wrong with letting the same URL handle different requests.
That said, I still seperate the confirmation message from the form. I see no reason as to why I shouldn't. Validation and error messages can still occur on the form view, but just letting a lot of conditions determine wether you should show the confirmation message, the form or error messages seems like (IMO) your'e getting a lot of messy code.
精彩评论