"Ben" <ben@xxxxxxxxxxxxxxxxx> wrote in message news:43287B03.4000500@xxxxxxxxxxxxxxxxxxxx > Dan Baker wrote: > >> Why is using $_REQUEST a security issue? You know every value in the >> entire array came from the end-user, and needs to be validated somehow. >> If your code is written so the end-user can send this data to you via a >> POST/GET/COOKIE, why not use $_REQUEST? > > On the one hand, you can't trust anything that came from the client, but > on the other if you're expecting a variable to come from a cookie and > instead it comes from a get you know something weird is going on, but > using $_REQUEST you'll be oblivious. You ought to know where your > variable values are coming from, $_REQUEST hides this. Interesting, but I think I wouldn't spend the extra code to detect if I was expecting a POST, but got a GET. If I didn't get the value from POST, I'd just assume it wasn't there -- I wouldn't go looking elsewhere for it, and report an error. The *main* reason I use $_REQUEST is so I can code up GET and POST pages that all are handled by the same php functions. I may have an item called "Key" that contains what the end-user is expected to be doing ("User.Create" or "User.Edit" or whatever). Then I may have a link (GET) that has ?Key=User.Create, while a form (POST) that has a hidden value "Key" with value "User.Create". I don't really care if it came from a GET or POST -- if the data is all valid, I'll allow it to work. > In older versions of PHP4 this is even more of an issue since $_FILE > information was also included in $_REQUEST. If someone uploades a file > while including conflicting information from another source (cookie, post, > get) this could lead to all sorts of problems. I didn't know this one. This might cause problems for me. > And the lazy guy answer... typing $_POST and $_GET is faster than typing > $_REQUEST ;-). This is, by far, the best reason I've ever heard! <grin> DanB -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
