In general, user input should never be trusted. Someone once told me that
if you ask for yes or no, you should always validate for yes, no and don't
know (of course, this was before windowed environments where the users can
only click what you offer them).
In a web environment you have a higher ratio of untrained users. In the old
days, when you deployed an application, you planned for user training. You
have none of that here, anyone can join in and, many times, anonymously so
they know they won't even be blamed for anything irresponsible that they can
do on your system, you can't even count on holding users responsible for
anything.
Finally, there is intentional misschief, and there is lots of it.
Suppose you have a form which you submit in a post so the user can't see
what's being transmitted. Nothing prevents someone to view the source of
the page, pick the input field names and assemble a fake request. If you
read it from $_REQUEST instead of from $_POST you are even exposed to this
get request attack which is easier than faking a post. For example, when I
joined some organization, their web site asked some data, amongst it the
number of my ID card. ID cards have check-digit validation and it rejected
mine. Indeed, mine is not a regular national ID card but an alien resident
card which uses a different algorithm for validation. I assembled a get
request in a URL with all the data of the form, including my alien card, and
the system accepted it! So, do never trust data coming from the browser
even if you have put validation on your pages, and if it is meant to come as
a POST, make sure it comes from one.
And we are not even talking about malicious requests. Usually there is not
much script in between user input and the database. If there is no
validation, it is quite open to SQL injection attacks, that is, chaining a
SQL instruction to a data field and have it execute along your original one.
You can read far more about this in places like http://phpsecurity.org/ or
http://phpsec.org/ and I'm sure other list members will supply more.
Satyam
----- Original Message -----
From: "Martin Marques" <martin@xxxxxxxxxxxxxxx>
To: <php-general@xxxxxxxxxxxxx>
Sent: Saturday, June 17, 2006 1:52 PM
Subject: GET, POST, REQUEST
Yesterday when reading some doc on PHP I noticed the $_REQUEST predefined
array, which looked like a solution to having to check in GET and POST
data (I'm not sure if it will really have an impact on my program yet).
The thing is, I also saw this description:
Variables provided to the script via the GET, POST, and COOKIE input
mechanisms, and which therefore cannot be trusted.
Now, why shouldn't it be trusted?
--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
--------------------------------------------------------------------------------
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
