Robert Cummings wrote:
On Fri, 2006-09-08 at 18:38 -0400, tedd wrote:
At 5:03 PM -0400 9/8/06, JD wrote:
In all of the answers given thus far, no one mentioned that the use
of $_REQUEST has a security issue with regard to where the $_REQUEST
originated.
$_REQUEST is an array consisting of $_GET, $_POST and $_COOKIE values
and as such, you don't know where the data came from and that might
be important.
So, wouldn't it be better to recommend that the poster use $_GET,
$_POST, or $_COOKIE instead of $_REQUEST?
Nope, not inherently less secure. If you are properly cleaning and
validating your data (as every good program should) then it doesn't
matter whether you pull from $_GET, $_POST, or $_REQUEST. The only time
it's bad is if you make assumptions about the value received -- AND YOU
SHOULD NEVER ASSUME YOU HAVE CLEAN DATA FROM AN OUTSIDE SOURCE!!
However, looking at it from a 'knowing early the data is tainted'
perspective, not from a 'validating and cleaning perspective', if you
have coded that (for instance) a variable is set via COOKIE, then only
looking for that variable set via COOKIE will eliminate its being
tainted by being set via GET or REQUEST. It doesn't eliminate any need
for validation or cleaning, but reduces (naive) attempts to set via
incorrect means. That is not possible via REQUEST. Personally, I like to
toss out possibilities of bad data via simple means as early in the
chain as possible.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
