PHP :: Bug #26684 :: POST to external server

Bug #26684	POST to external server
Submitted:	2003-12-21 12:04 UTC	Modified:	2003-12-21 12:40 UTC
From:	telefoontoestel at officepxert dot digitaal dot biz	Assigned:
Status:	Not a bug	Package:	Variables related
PHP Version:	4.3.4	OS:	Linux 8.5.3-STABLE #3
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-12-21 12:04 UTC] telefoontoestel at officepxert dot digitaal dot biz

Description:
------------
It is possible to post data to an script on an external server. I find this a huge bug in the php api, because of this harmfull persons can add/alter any kind of data to a script. Will this be resolved in a future PHP version?

Reproduce code:
---------------
[external server]
<?php
ini_set("register_globals", 1);

$variabel = $_POST["test_var"];

if(!empty($variabel)){
	print "This is the bug I'm talking about";
}
?>

[other server]
<form method="post" action="http://my.external.site/externalphpscript.php">
<input type="text" name="test_var">
<input type="submit" value="Test">
</form>

Expected result:
----------------
This is the bug I'm talking about

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-12-21 12:40 UTC] derick@php.net

Uhm? This has nothing to do with PHP. It's the browser that sends the POST request; PHP only handles the POST request and there is no reason it should deny it if it comes from a 'different' server. It's up to the programmer to guard for this...this is just a basic feature of the "www".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 12 05:01:33 2025 UTC