This is a question of security, so I am not looking for a solution on how to do this, I just want to make sure that it cannot be done.
Let's say I have a file called login.php and it's hosted online and running live, let's say on http://www.rimmer.sk/login.php
Now开发者_开发问答, let's image this file looks like this:
<?php
if (isset($_POST['register'])){
echo 'all is done !';
}
?>
Question: Can you, externally, send $_POST['register'] to my file, or can this be done only internally from files hosted within the same virtualhost?
It can be done. Everyone can send you a POST (or a GET, for that matter) request. There is no limit that forbids requests from outside your virtualhost.
(maybe not for you, maybe it is, but not everyone can set your $_SESSION, so an external domain cannot alter that)
In short yes it can be posted from the external site.
Yes this can be done very easily. Take a look at: http://php.net/manual/en/book.curl.php
Of course I can post from an external location, after all that's what the user's browser does when they submit the form. I can therefore write a script to post the register field to your server with ease.
What use case are you imagining? There are lots of security options (firewalls etc) but without knowing what you are trying to achieve, it's hard to give specifics.
One way of denying script attacks is to generate one time passwords on the server that you send to the browser with each registration form, then when you get a response back, check that the OTP is valid. This at least adds another layer of security.
But as I say ... without knowing more it's hard to be specific.
or can this be done only internally from files hosted within the same virtualhost?
Quite contrary. This cannot be done only internally. In fact, a form being sent not from server internals but from the user's browser
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论