php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26684 POST to external server
Submitted: 2003-12-21 12:04 UTC Modified: 2003-12-21 12:40 UTC
From: telefoontoestel at officepxert dot digitaal dot biz Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.3.4 OS: Linux 8.5.3-STABLE #3
Private report: No CVE-ID: None
 [2003-12-21 12:04 UTC] telefoontoestel at officepxert dot digitaal dot biz
Description:
------------
It is possible to post data to an script on an external server. I find this a huge bug in the php api, because of this harmfull persons can add/alter any kind of data to a script. Will this be resolved in a future PHP version?

Reproduce code:
---------------
[external server]
<?php
ini_set("register_globals", 1);

$variabel = $_POST["test_var"];

if(!empty($variabel)){
	print "This is the bug I'm talking about";
}
?>

[other server]
<form method="post" action="http://my.external.site/externalphpscript.php">
<input type="text" name="test_var">
<input type="submit" value="Test">
</form>

Expected result:
----------------
This is the bug I'm talking about


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-21 12:40 UTC] derick@php.net
Uhm? This has nothing to do with PHP. It's the browser that sends the POST request; PHP only handles the POST request and there is no reason it should deny it if it comes from a 'different' server. It's up to the programmer to guard for this...this is just a basic feature of the "www".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC