it's more like painting the color of your front door, but still
leaving it unlocked. It doesn't change the fact that people can still
open the door.
every input field needs to be validated regardless of get vs. post.
the web developer toolbar for firefox can easily convert all form
fields to one or the other, so it's trivial to send a get request as
post, and vice-versa.
On 6/17/06, Chris Peterman <kyral@xxxxxxxxxx> wrote:
But it would seem that using $_POST cuts down on the number of possible ways
that something bad could happen, doesn't it? (Someone correct me if I am
wrong, I am by no means a security or PHP expert, though working towards
both :D)
On Saturday 17 June 2006 14:51, Anthony Ettinger wrote:
> simply using $_POST is by no means more secure than $_REQUEST.
>
> On 6/17/06, Ben Ramsey <ramsey@xxxxxxx> wrote:
> > On 6/17/06 9:30 AM, David Tulloh wrote:
> > > Martin Marques wrote:
> > >> Yesterday when reading some doc on PHP I noticed the $_REQUEST
> > >> predefined array, which looked like a solution to having to check in
> > >> GET and POST data (I'm not sure if it will really have an impact on my
> > >> program yet).
> > >
> > > Yes, request is simply a merge of these arrays. It can be very useful
> > > and tends to be rather under used in PHP examples.
> >
> > Using $_REQUEST is similar to using register_globals. You simply cannot
> > trust the origin of the data. It's possible that a variable by the name
> > of "foo" exists as a cookie, POST value, and GET value. If you use
> > $_REQUEST, you cannot be assured that the value you are getting is from
> > the scope you intend to retrieve it.
> >
> > Consider the following script:
> >
> > <?php
> > setcookie('foo', 'cookie');
> > ?>
> > <form method="POST" action="<?php echo $_SERVER['SCRIPT_NAME'];
> > ?>?foo=get"> <input type="text" name="foo" value="post" />
> > <input type="submit" />
> > </form>
> > <pre>
> > <?php
> > var_dump($_REQUEST);
> > var_dump($_GET);
> > var_dump($_POST);
> > var_dump($_COOKIE);
> > ?>
> > </pre>
> >
> > Save this to a PHP file, access it through a Web browser, and click on
> > the "Submit" button. You'll see four different arrays that output the
> > $_REQUEST, $_GET, $_POST, and $_COOKIE values. The problem is that the
> > $_REQUEST array contains only one value for "foo," but we know it exists
> > in all scopes with different values.
> >
> > A user that knows this can make use of this knowledge to add a GET
> > variable to the query string, add a cookie header to the request, or
> > spoof the form with other values in POST than you intend.
> >
> > So, there are two things you must do here: 1) always check the origin of
> > your data (don't use $_REQUEST, even if it seems convenient), and 2)
> > always check that the input received is input expected (filter the
> > input).
> >
> > --
> > Ben Ramsey
> > http://benramsey.com/
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> Anthony Ettinger
> Signature: http://chovy.dyndns.org/hcard.html
--
~ Chris "Kyral" Peterman
Computer Science Undergraduate
Clarkson University
Associate Member of the Free Software Foundation
Ubuntu Member
--
Anthony Ettinger
Signature: http://chovy.dyndns.org/hcard.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
