Yes, absolutely! Do not trust the values ββof $ _GET or $ _POST at any time!
Suppose a third-party site submits a form. It can post any address.
A simple solution would be to not include the address, but the md5 () hash of the address in the form. After the form is submitted, the task of your script is to map the hash to the actual address and then fix the Location header.
My other post may be of interest.
You can claim that your application is bulletproof. Why shouldn't I pass the url directly?
In fact, even well-designed applications are not bulletproof. Leave back and try to remember your last "Ah, I forgot something. Let me fix this event."
Have you checked each control each and every condition?
- The user double-clicks the submit button for the web form. Thus, the controller works twice.
- The user presses F5 repeatedly repeats the last update controller.
- The user somehow controls the parameters, and the controller is called with the values ββturned off.
Therefore, I suggest not passing links or other parameters directly or unprotected / unapproved .
@Col. Shrapnel I fully understand that any URL can be sent to a web application at any time. This is trivial.
However, at a given point in the control stream, there are certain acceptable following states of the control stream.
To make sure that only those that have been achieved in the following control states are achieved, I suggest checking.
More general approach
In fact, the updated internal infrastructure never passes any parameters as GET or POST parameters from request to request . All parameters are saved and retrieved from the user session [inside the so-called stream, which is part of a larger control stream].
Using the framework, only one parameter is passed - FlowID. If the infrastructure does not find the FlowID in the session thread store, the environment throws an exception and the dispatcher displays an error message.