On Fri, 2006-09-08 at 18:38 -0400, tedd wrote:
> At 5:03 PM -0400 9/8/06, JD wrote:
> >I'm trying to set up a simple conditional, something like this:
> >
> >Here is what I have tried:
> >
> > if ($_REQUEST['id'] != ("black" or "white")) {
>
>
> In all of the answers given thus far, no one mentioned that the use
> of $_REQUEST has a security issue with regard to where the $_REQUEST
> originated.
>
> $_REQUEST is an array consisting of $_GET, $_POST and $_COOKIE values
> and as such, you don't know where the data came from and that might
> be important.
>
> So, wouldn't it be better to recommend that the poster use $_GET,
> $_POST, or $_COOKIE instead of $_REQUEST?
Nope, not inherently less secure. If you are properly cleaning and
validating your data (as every good program should) then it doesn't
matter whether you pull from $_GET, $_POST, or $_REQUEST. The only time
it's bad is if you make assumptions about the value received -- AND YOU
SHOULD NEVER ASSUME YOU HAVE CLEAN DATA FROM AN OUTSIDE SOURCE!!
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
