Re: GET, POST, REQUEST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

$_REQUEST is not particularly dangerous compared to $_GET or $_POST, it is just one more validation you can make: if you expect data from a POST, check it from POST. That's why I mentioned that form where I entered my personal data, the form was sent as POST but it took a faked GET from me, that's one mistake, but the worst was that the validation done in JavaScript on the client side was not repeated on the server side so it let my ID card number through. If they had done the data validation, it would have rejected my data whether it came via GET or POST.
Your application might require that flexibility or accepting data via POST or GET, in which case, it is just fine. Contrary to another post I've read, there is nothing good of register_globals, that is why it is now defaulted to off and kept for compatibility, though highly discouraged. There is nothing intrinsically wrong with $_REQUEST, it is slightly more vulnerable than differentiating POSTs from GETs, but it is not the worst you can do 

Satyam
----- Original Message ----- From: "Martin Marques" <martin@xxxxxxxxxxxxxxx> 
To: "Satyam" <Satyam@xxxxxxxxxxxxx>
Cc: <php-general@xxxxxxxxxxxxx>
Sent: Saturday, June 17, 2006 11:22 PM
Subject: Re:  GET, POST, REQUEST




On Sat, 17 Jun 2006 15:01:23 +0200, "Satyam" <Satyam@xxxxxxxxxxxxx> wrote:
In general, user input should never be trusted. Someone once told me that if you ask for yes or no, you should always validate for yes, no and don't know (of course, this was before windowed environments where the users can 
only click what you offer them).
Yes, I do validation. Incoming data is insearted to objects via methods that validate it first.
What I was asking is why the $_REQUEST is untrueted while $_POST and $_GET are (or at least the are not explicitly untrusted). 

--
---------------------------------------------------------
Lic. Martín Marqués         |   SELECT 'mmarques' ||
Centro de Telemática        |       '@' || 'unl.edu.ar';
Universidad Nacional        |   DBA, Programador,
   del Litoral             |   Administrador
---------------------------------------------------------

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux