Richard Davey wrote:

Hello Robert,

Thursday, April 8, 2004, 7:13:27 PM, you wrote:

RC> Aaah ok. That makes more sense to me :) Sorry was confused by the use of
RC> the word redirect. Thought you were redirecting the user to an alternate
RC> script with the reposted data. I'm not sure I understand how this is
RC> more secure since isn't the data as valid as the first time it was
RC> posted?

It's not about the validity of data, that is handled by the receiving
script - it's about knowing for sure WHERE that form data came from in
the first place. For example it would stop something along the lines
of a user downloading your form, modifying some values and then
posting it from their local box. It could also stop another web-site
automatically posting data to your forms should they mask the referer
value.

How would your process stop them? If Script A doesn't know where the data is coming from, how could Script B know where it's coming from? Sure, Script B knows it's receiving data from Script A, but the data could have come from anywhere before that. Script A just resends it anyhow without any checks. Sure, no one can call Script B directly, but they don't have to when Script A just sends the data, anyhow. :)


--
---John Holmes...

Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to