Stut wrote:
Mark Charette wrote:
However, looking at it from a 'knowing early the data is tainted'
perspective, not from a 'validating and cleaning perspective', if you
have coded that (for instance) a variable is set via COOKIE, then
only looking for that variable set via COOKIE will eliminate its
being tainted by being set via GET or REQUEST. It doesn't eliminate
any need for validation or cleaning, but reduces (naive) attempts to
set via incorrect means. That is not possible via REQUEST.
Personally, I like to toss out possibilities of bad data via simple
means as early in the chain as possible.
If I understood that right it's a shocking naive statement for any
developer to make. While I agree with what you're saying, you're
implying a bad attitude to handling data from untrusted sources.
I am being neither shocking or naive. Why is early discarding of data
because it comes in the wrong area shocking? If I were looking for a
variable set via a COOKIE, why would I look for the variable set via
GET? As I so explicitly said above "It doesn't eliminate any need for
validation or cleaning, but reduces (naive) attempts to set via
incorrect means." My CPU resources are valuable; writing code that
checks whether a variable is set via the correct method is no harder
($_COOKIE vs. $_REQUEST) and throws out trivially spurious data. No
more, no less. The same checks still need apply after that, but my CPU
won't be burdened by the script kiddies. No more, no less. The data just
won't appear.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
