On Sat, 2006-09-09 at 10:21 -0400, Mark Charette wrote: > Robert Cummings wrote: > > On Fri, 2006-09-08 at 18:38 -0400, tedd wrote: > > > >> At 5:03 PM -0400 9/8/06, JD wrote: > >> > >> In all of the answers given thus far, no one mentioned that the use > >> of $_REQUEST has a security issue with regard to where the $_REQUEST > >> originated. > >> > >> $_REQUEST is an array consisting of $_GET, $_POST and $_COOKIE values > >> and as such, you don't know where the data came from and that might > >> be important. > >> > >> So, wouldn't it be better to recommend that the poster use $_GET, > >> $_POST, or $_COOKIE instead of $_REQUEST? > >> > > > > Nope, not inherently less secure. If you are properly cleaning and > > validating your data (as every good program should) then it doesn't > > matter whether you pull from $_GET, $_POST, or $_REQUEST. The only time > > it's bad is if you make assumptions about the value received -- AND YOU > > SHOULD NEVER ASSUME YOU HAVE CLEAN DATA FROM AN OUTSIDE SOURCE!! > > > However, looking at it from a 'knowing early the data is tainted' > perspective, not from a 'validating and cleaning perspective', if you > have coded that (for instance) a variable is set via COOKIE, then only > looking for that variable set via COOKIE will eliminate its being > tainted by being set via GET or REQUEST. It doesn't eliminate any need > for validation or cleaning, but reduces (naive) attempts to set via > incorrect means. That is not possible via REQUEST. Personally, I like to > toss out possibilities of bad data via simple means as early in the > chain as possible. Any malevolently intentioned hacker will have little properly screwing around with cookie data. I'm pretty sure browsers allow editing the cookie values via the cookie browser. And if not, a quick PHP script is just as simple to create that mucks with cookie data. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
