bruce wrote:
however, i still don't have a good answer to my question regarding how
easy (or hard) it is to detect if a query that should have originated
with your app's form is coming from a 3rd party/external site?
am i missing something here?
Possibly. I think you're missing the fact that every request sent to
your web server comes from a remote site. The requests are sent by your
users, so they come from all over the place.
In general, this isn't a concern. Things like spoofing forms is not
something you can prevent, nor does it matter - our job as developers is
to make users play by our rules. How they choose to do so is irrelevant.
The one exception is CSRF, which I briefly described earlier. The
standard protection against CSRF is to use tokens in your forms, a
technique described in the PHP Security by Example talk:
http://brainbulb.com/talks/php-security-by-example.pdf
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
