php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26684 POST to external server
Submitted: 2003-12-21 12:04 UTC Modified: 2003-12-21 12:40 UTC
From: telefoontoestel at officepxert dot digitaal dot biz Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.3.4 OS: Linux 8.5.3-STABLE #3
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: telefoontoestel at officepxert dot digitaal dot biz
New email:
PHP Version: OS:

 

 [2003-12-21 12:04 UTC] telefoontoestel at officepxert dot digitaal dot biz 
Description:
------------
It is possible to post data to an script on an external server. I find this a huge bug in the php api, because of this harmfull persons can add/alter any kind of data to a script. Will this be resolved in a future PHP version?

Reproduce code:
---------------
[external server]
<?php
ini_set("register_globals", 1);

$variabel = $_POST["test_var"];

if(!empty($variabel)){
	print "This is the bug I'm talking about";
}
?>

[other server]
<form method="post" action="http://my.external.site/externalphpscript.php">
<input type="text" name="test_var">
<input type="submit" value="Test">
</form>

Expected result:
----------------
This is the bug I'm talking about

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-21 12:40 UTC] derick@php.net 
Uhm? This has nothing to do with PHP. It's the browser that sends the POST request; PHP only handles the POST request and there is no reason it should deny it if it comes from a 'different' server. It's up to the programmer to guard for this...this is just a basic feature of the "www".
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Oct 26 11:00:02 2025 UTC