Hello Robert,
Thursday, April 8, 2004, 7:13:27 PM, you wrote:
RC> Aaah ok. That makes more sense to me :) Sorry was confused by the use of RC> the word redirect. Thought you were redirecting the user to an alternate RC> script with the reposted data. I'm not sure I understand how this is RC> more secure since isn't the data as valid as the first time it was RC> posted?
It's not about the validity of data, that is handled by the receiving script - it's about knowing for sure WHERE that form data came from in the first place. For example it would stop something along the lines of a user downloading your form, modifying some values and then posting it from their local box. It could also stop another web-site automatically posting data to your forms should they mask the referer value.
How would your process stop them? If Script A doesn't know where the data is coming from, how could Script B know where it's coming from? Sure, Script B knows it's receiving data from Script A, but the data could have come from anywhere before that. Script A just resends it anyhow without any checks. Sure, no one can call Script B directly, but they don't have to when Script A just sends the data, anyhow. :)
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php