| Is valid this base_url setup?? |
|
The $_SERVER['HTTP_HOST'] value is created based on the request headers from the browser, it's easy to manipulate them. The value of $config['base_url'] is used for example in the url helper, form_open function etc. You should not have a situation where some header of the client can change all the url's on you page, or even change the action url of a login form to some external location...
There for you should never ever trust user input blindly and not only validate if it's a valid domainname but in this case you should check if $_SERVER['HTTP_HOST'] is indeed set to a domain you own. I use some similar whitelist approach as Krycek. http://www.skeletonscribe.net/2013/05/pr...tacks.html |
| Messages In This Thread |
|
Is valid this base_url setup?? - by eloyucu - 02-18-2016, 02:10 AM
RE: Is valid this base_url setup?? - by Narf - 02-18-2016, 02:42 AM
RE: Is valid this base_url setup?? - by freddy - 02-18-2016, 06:26 PM
RE: Is valid this base_url setup?? - by Krycek - 02-18-2016, 07:03 AM
RE: Is valid this base_url setup?? - by rsilva6 - 02-18-2016, 11:36 AM
RE: Is valid this base_url setup?? - by Diederik - 02-19-2016, 01:30 AM
RE: Is valid this base_url setup?? - by cartalot - 02-19-2016, 12:48 PM
|
