on 06/17/2006 07:10 PM Ben Ramsey said the following: > On 6/17/06 5:34 PM, Satyam wrote: >> Your application might require that flexibility or accepting data via >> POST or GET, in which case, it is just fine. Contrary to another >> post I've read, there is nothing good of register_globals, that is why >> it is now defaulted to off and kept for compatibility, though highly >> discouraged. There is nothing intrinsically wrong with $_REQUEST, it >> is slightly more vulnerable than differentiating POSTs from GETs, but >> it is not the worst you can do > > I never said there was anything good about register_globals. In fact, I > was implying that it was bad. With register_globals, you can't tell > whether the variable $foo is local, global, from POST, from GET, from > COOKIE, etc. I compared $_REQUEST to register_globals because it behaves > similarly: you still don't know whether $_REQUEST['foo'] comes from > POST, GET, or COOKIE. The good thing is that you at least know it comes > from an HTTP request, so you know not to trust anything from it. Mind me for a little disagreement, but the problem of register globals isn't with not being able to distinguish between client side originated global variables like GET POST COOKIE, but rather from not being able to distinguish client side and server side original global variables, which includes environment variables and session variables. Having register globals enabled per se does not make any site vulnerable. What can potentially make a site vulnerable is using code that fetches session and environment variables from global variables instead of $_SESSION, $_SERVER and $_ENV (or GetEnv). As long as you use these superglobals for accessing server side originated variables, it does not matter if you use $_REQUEST instead of $_GET, $_POST or $_COOKIE because all of these client side variables can be forged by an eventual attacker with a cooked request. So, a secure application always has to validate values from client side originated variables, independently if the values were retrieved from $_GET, $_POST, $_COOKIE or $_REQUEST . As for server side originated variables, these do not need to be validated if you get them from $_SESSION, $_SERVER and $_ENV . -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
