It would still be vulnerable to a CSRF attack. The attacker can just get a logge... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		robbles on April 29, 2014 \| parent \| context \| favorite \| on: Exec($_GET It would still be vulnerable to a CSRF attack. The attacker can just get a logged-in user to launch their exploit, through a vulnerable site they frequent or even a link or image in an email.

blueskin_ on April 29, 2014 [–]

Theoretically, building CSRF protection in isn't mutually exclusive with passing unsanitised variables to a shell. Although sure, most people who do the latter won't do the former.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact