Mark Charette wrote:
However, looking at it from a 'knowing early the data is tainted' perspective, not from a 'validating and cleaning perspective', if you have coded that (for instance) a variable is set via COOKIE, then only looking for that variable set via COOKIE will eliminate its being tainted by being set via GET or REQUEST. It doesn't eliminate any need for validation or cleaning, but reduces (naive) attempts to set via incorrect means. That is not possible via REQUEST. Personally, I like to toss out possibilities of bad data via simple means as early in the chain as possible.
If I understood that right it's a shocking naive statement for any developer to make. While I agree with what you're saying, you're implying a bad attitude to handling data from untrusted sources.
It shouldn't matter how difficult it is for the user to send you dodgy data... if its source is outside your control you need to handle it accordingly no matter how unlikely you think it is that it will be changed between you setting it and getting it back.
Data from any of the superglobals should be treated the same - trust none of them!!
-Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php