birbal Posted October 27, 2010 Share Posted October 27, 2010 i read it somewhere that all $_SERVER variable is not trusted and dont trust to all $_SERVER vars. specially they were talkin about some var but they did not explained it why it is. so i am litttle bit confused with that concept. how can the $_SERVER vars be untrusted? should it need to validate too? and if there is any particualr list malicious $_SERVER vars...whats that? Link to comment Share on other sites More sharing options...
justsomeguy Posted October 27, 2010 Share Posted October 27, 2010 The $_SERVER array contains some information sent by the browser, so you can't necessarily rely on that to be accurate. Even though the browser might say it's IE doesn't mean it actually is. Link to comment Share on other sites More sharing options...
boen_robot Posted October 28, 2010 Share Posted October 28, 2010 You can use tools like Fiddler (see my signature) or Firebug to see how HTTP requests look like. Anything that you see as part of the request can't be trusted. This includes the values of ALL request headers (including some you may otherwise not think about, such as "Host"), the body, heck even the HTTP method and version (though these rarely make for security issues). Link to comment Share on other sites More sharing options...
birbal Posted October 28, 2010 Author Share Posted October 28, 2010 You can use tools like Fiddler (see my signature) or Firebug to see how HTTP requests look like. Anything that you see as part of the request can't be trusted. This includes the values of ALL request headers (including some you may otherwise not think about, such as "Host"), the body, heck even the HTTP method and version (though these rarely make for security issues).alright now its becoming clearer. but i want to ask particularly about http_reffer...what about that? i read somewhere that it i cant be trusted. though they did not clarify the concept. Link to comment Share on other sites More sharing options...
justsomeguy Posted October 28, 2010 Share Posted October 28, 2010 The referer header is another header the browser sends, so the browser can send anything it wants. Some browsers are configured to never send referer headers, and there are some situations (like going from HTTPS to HTTP) where they are explicitly not supposed to be sent. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.