Hi On 9/14/22 20:44, Jordan LeDoux wrote:
Honestly, another question I'm thinking about at the moment is whether it's possible to construct an attack against known script behavior if you also are able to determine the ini config at which partial form data would make it to the script with the script thinking it has full form data. To be clear, I haven't been able to think of one, but I also recognize that I'm not nearly as clever at those sorts of things as some attackers are.
Maybe I misunderstood what you are thinking about, but can't you just … not send all the fields to achieve exactly the same results as an attacker?
Best regards Tim Düsterhus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php