Re: if statement with or comparison (newbie)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Robert Cummings wrote:
On Fri, 2006-09-08 at 18:38 -0400, tedd wrote:
At 5:03 PM -0400 9/8/06, JD wrote:
In all of the answers given thus far, no one mentioned that the use of $_REQUEST has a security issue with regard to where the $_REQUEST originated.

$_REQUEST is an array consisting of $_GET, $_POST and $_COOKIE values and as such, you don't know where the data came from and that might be important.

So, wouldn't it be better to recommend that the poster use $_GET, $_POST, or $_COOKIE instead of $_REQUEST?

Nope, not inherently less secure. If you are properly cleaning and
validating your data (as every good program should) then it doesn't
matter whether you pull from $_GET, $_POST, or $_REQUEST. The only time
it's bad is if you make assumptions about the value received -- AND YOU
SHOULD NEVER ASSUME YOU HAVE CLEAN DATA FROM AN OUTSIDE SOURCE!!
However, looking at it from a 'knowing early the data is tainted' perspective, not from a 'validating and cleaning perspective', if you have coded that (for instance) a variable is set via COOKIE, then only looking for that variable set via COOKIE will eliminate its being tainted by being set via GET or REQUEST. It doesn't eliminate any need for validation or cleaning, but reduces (naive) attempts to set via incorrect means. That is not possible via REQUEST. Personally, I like to toss out possibilities of bad data via simple means as early in the chain as possible.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux