Re: GET, POST, REQUEST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

simply using $_POST is by no means more secure than $_REQUEST.



On 6/17/06, Ben Ramsey <ramsey@xxxxxxx> wrote:

On 6/17/06 9:30 AM, David Tulloh wrote:
> Martin Marques wrote:
>> Yesterday when reading some doc on PHP I noticed the $_REQUEST
>> predefined array, which looked like a solution to having to check in GET
>> and POST data (I'm not sure if it will really have an impact on my
>> program yet).
>
> Yes, request is simply a merge of these arrays.  It can be very useful
> and tends to be rather under used in PHP examples.

Using $_REQUEST is similar to using register_globals. You simply cannot
trust the origin of the data. It's possible that a variable by the name
of "foo" exists as a cookie, POST value, and GET value. If you use
$_REQUEST, you cannot be assured that the value you are getting is from
the scope you intend to retrieve it.

Consider the following script:

<?php
setcookie('foo', 'cookie');
?>
<form method="POST" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>?foo=get">
<input type="text" name="foo" value="post" />
<input type="submit" />
</form>
<pre>
<?php
var_dump($_REQUEST);
var_dump($_GET);
var_dump($_POST);
var_dump($_COOKIE);
?>
</pre>

Save this to a PHP file, access it through a Web browser, and click on
the "Submit" button. You'll see four different arrays that output the
$_REQUEST, $_GET, $_POST, and $_COOKIE values. The problem is that the
$_REQUEST array contains only one value for "foo," but we know it exists
in all scopes with different values.

A user that knows this can make use of this knowledge to add a GET
variable to the query string, add a cookie header to the request, or
spoof the form with other values in POST than you intend.

So, there are two things you must do here: 1) always check the origin of
your data (don't use $_REQUEST, even if it seems convenient), and 2)
always check that the input received is input expected (filter the input).

--
Ben Ramsey
http://benramsey.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





--
Anthony Ettinger
Signature: http://chovy.dyndns.org/hcard.html

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux