On 6/17/06 9:30 AM, David Tulloh wrote:
Martin Marques wrote:
Yesterday when reading some doc on PHP I noticed the $_REQUEST
predefined array, which looked like a solution to having to check in GET
and POST data (I'm not sure if it will really have an impact on my
program yet).
Yes, request is simply a merge of these arrays. It can be very useful
and tends to be rather under used in PHP examples.
Using $_REQUEST is similar to using register_globals. You simply cannot
trust the origin of the data. It's possible that a variable by the name
of "foo" exists as a cookie, POST value, and GET value. If you use
$_REQUEST, you cannot be assured that the value you are getting is from
the scope you intend to retrieve it.
Consider the following script:
<?php
setcookie('foo', 'cookie');
?>
<form method="POST" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>?foo=get">
<input type="text" name="foo" value="post" />
<input type="submit" />
</form>
<pre>
<?php
var_dump($_REQUEST);
var_dump($_GET);
var_dump($_POST);
var_dump($_COOKIE);
?>
</pre>
Save this to a PHP file, access it through a Web browser, and click on
the "Submit" button. You'll see four different arrays that output the
$_REQUEST, $_GET, $_POST, and $_COOKIE values. The problem is that the
$_REQUEST array contains only one value for "foo," but we know it exists
in all scopes with different values.
A user that knows this can make use of this knowledge to add a GET
variable to the query string, add a cookie header to the request, or
spoof the form with other values in POST than you intend.
So, there are two things you must do here: 1) always check the origin of
your data (don't use $_REQUEST, even if it seems convenient), and 2)
always check that the input received is input expected (filter the input).
--
Ben Ramsey
http://benramsey.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
