On Mon, February 12, 2007 8:41 pm, J R wrote: > it is not adviced to do filtering on _REQUEST getting data in general > from > it actually. It is much better to specify where your data is coming > from ( > e.g. _POST or _GET). This is because variable _REQUST contains all the > data > from the cookies, get and post. and if ever you have the same variable > name > on two or more of those variable you might get the wrong one. > > and as we all know there is a security risk with cookies. users can > easily > replace you data for example in post using cookies. Or they could replace all the POST data using POST... A Bad Guy would have to be incredibly naive, unskilled, and downright dumb to be caught by your script differentiating between GET/POST/COOKIE as the source of the data. Spoofing a POST is a matter of saving the HTML locally and filling in whatever you want for extra INPUT and the values you like. If you intentionally have 2 (or more) inputs to your script of the same name, one each from GET/POST/COOKIE, I'd have to say that's a pretty confusing design from the get-go. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
