Can you set $_POST values outside the script?
Posted: Sat Jan 28, 2012 3:04 am
This post stems from another thread (post forms security - tampering) but is (to me) related to this: Is there a way to fake (spoof) $_POST values?
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Code: Select all
<?php
if isset($_POST['submitButton'])) {
// do processing
}
?>Code: Select all
<input type="hidden" class="hidden" name="comment_author_hash" value="85cQjZyUDM1YTM" />It's not so much spoofing as it is crafting. Of course you can craft an http post, and you dont need a browser to do it. You can insert any data that you want. By viewing the page source of the form you wish to craft, you will have an idea of what pieces of data the server expects. Once you know the fields the server expects, you can insert any arbitrary data.social_experiment wrote:This post stems from another thread (post forms security - tampering) but is (to me) related to this: Is there a way to fake (spoof) $_POST values?
Code: Select all
$ telnet example.org 80
> POST /test/forms/login.php HTTP/1.1
> Host: example.org
> User-Agent: myTelnetScript
> Content-Length: 86
> Content-Type: application/x-www-form-urlencoded
> Cookie: PHPSESSID=1234
>
> username=Tony&password=password&persistent=on&hiddenInput=someData&=submitButton=Login
>
> Code: Select all
print_r($_POST);
//Array ( [username] => Tony [password] => password [persistent] => on [hiddenInput] => someData [submitButton] => Login )