NYCPHP Meetup

[Jon Niola]

I didn't say I was going to do it. I used the word "us" meaning group 
effort based on discussions we could/would have on list.

I did not profess to be a security expert and never would. :)

I was not aware that an env var such as that could be so easily 
spoofed. I was under the impression that was a variable generated by 
Apache /shrug

The link you sent is an interesting read. Thanks for the info.

--Jon



>On Sat, 28 May 2005, Jon Niola wrote:
>
>>  Thinking about that article I was wondering, why not just check the
>>  HTTP_REFERER to make sure the form is being submitted from server as
>>  opposed to someone storing it locally and editing vars?
>>
>>  Might not be too bad an idea for us to put together a security page
>>  with best practices, do's and don't etc. It would be a valuable
>>  resource for even the seasoned coders. Some of the best coders I know
>>  take security for granted.
>
>I don't mean to be rude, but if you really think checking HTTP_REFERER
>is a good way to protect against this type of attack, you probably
>shouldn't be working on a security "best practices" page.
>
>This value is easily spoofed because an attacker can manually set the
>HTTP header herself and the value is easily known. See
>http://shiflett.org/archive/96.
>
>-adam
>
>--
>adam at trachtenberg.com | http://www.trachtenberg.com
>author of o'reilly's "upgrading to php 5" and "php cookbook"
>avoid the holiday rush, buy your copies today!
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org