But it would seem that using $_POST cuts down on the number of possible ways
that something bad could happen, doesn't it? (Someone correct me if I am
wrong, I am by no means a security or PHP expert, though working towards
both :D)
On Saturday 17 June 2006 14:51, Anthony Ettinger wrote:
> simply using $_POST is by no means more secure than $_REQUEST.
>
> On 6/17/06, Ben Ramsey <ramsey@xxxxxxx> wrote:
> > On 6/17/06 9:30 AM, David Tulloh wrote:
> > > Martin Marques wrote:
> > >> Yesterday when reading some doc on PHP I noticed the $_REQUEST
> > >> predefined array, which looked like a solution to having to check in
> > >> GET and POST data (I'm not sure if it will really have an impact on my
> > >> program yet).
> > >
> > > Yes, request is simply a merge of these arrays. It can be very useful
> > > and tends to be rather under used in PHP examples.
> >
> > Using $_REQUEST is similar to using register_globals. You simply cannot
> > trust the origin of the data. It's possible that a variable by the name
> > of "foo" exists as a cookie, POST value, and GET value. If you use
> > $_REQUEST, you cannot be assured that the value you are getting is from
> > the scope you intend to retrieve it.
> >
> > Consider the following script:
> >
> > <?php
> > setcookie('foo', 'cookie');
> > ?>
> > <form method="POST" action="<?php echo $_SERVER['SCRIPT_NAME'];
> > ?>?foo=get"> <input type="text" name="foo" value="post" />
> > <input type="submit" />
> > </form>
> > <pre>
> > <?php
> > var_dump($_REQUEST);
> > var_dump($_GET);
> > var_dump($_POST);
> > var_dump($_COOKIE);
> > ?>
> > </pre>
> >
> > Save this to a PHP file, access it through a Web browser, and click on
> > the "Submit" button. You'll see four different arrays that output the
> > $_REQUEST, $_GET, $_POST, and $_COOKIE values. The problem is that the
> > $_REQUEST array contains only one value for "foo," but we know it exists
> > in all scopes with different values.
> >
> > A user that knows this can make use of this knowledge to add a GET
> > variable to the query string, add a cookie header to the request, or
> > spoof the form with other values in POST than you intend.
> >
> > So, there are two things you must do here: 1) always check the origin of
> > your data (don't use $_REQUEST, even if it seems convenient), and 2)
> > always check that the input received is input expected (filter the
> > input).
> >
> > --
> > Ben Ramsey
> > http://benramsey.com/
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> Anthony Ettinger
> Signature: http://chovy.dyndns.org/hcard.html
--
~ Chris "Kyral" Peterman
Computer Science Undergraduate
Clarkson University
Associate Member of the Free Software Foundation
Ubuntu Member
Attachment:
pgp4Yu9et3Yqw.pgp
Description: PGP signature
