Re: Looking for a reasonable explanation as to why $_REQUEST exists

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



mike wrote:
On 7/7/08, Eric Butera <eric.butera@xxxxxxxxx> wrote:

Laziness/convenience.

I always get my data from the exact source I want.  If someone chooses
to use REQUEST it shouldn't break their application.  You say it is a
security risk, but not really.  As long as everything is
filtered/escaped properly it should be fine because you force the data
to play by your rules.

I'm not talking about escaping/filtering. I'm talking about variable overriding.

In the past, it was

$_GET['foo']
$foo

register_globals fixed that.

however, if your app is relying on

$_SESSION['username'] or $_COOKIE['username'] or something like that,
depending on the variables order, it can be overridden.

I don't see why if you -know- you need $_COOKIE['username'] someone
would be lazy and use $_REQUEST['username']

It winds up allowing the end user to override information themselves
(again, depending on the variables order) which depending on that and
how poor the code is (which to me if you're relying on $_REQUEST
you've probably got some bugs and exploitable holes in there) creates
a security risk.

and session vars are in $_REQUEST, I tried it to sanity check myself
before posting this :)

Well, either your sanity or your PHP is broken. Session vars are not in $_REQUEST. The session ID may be because it might be in a cookie var which is in $_REQUEST.

-Shawn

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux