$_REQUEST is not any less secure then $_POST/$_GET/$_COOKIE, they all contain raw user data. The way $_REQUEST is being used in this example is not less secure then using $_GET. It does open up an exploit but this is not because $_REQUEST is less secure. The same exploit exists with $_GET, I could place an image on the page with src="?act=logout". $_REQUEST has a place but it should not be used as a direct substitute for $_GET/POST etc, unless you want the user to be able to have all the options of posting data to the server. 2009/4/14 דניאל דנון <danondaniel@xxxxxxxxx> > $_REQUEST is "less secure" because it also contains cookie data. > If you manage just to set a cookie, with the name "act" and value > "logout", > the user will infinitely log out - You get the point. > > On Sun, Apr 12, 2009 at 10:56 PM, Jason Pruim <jason@xxxxxxxxxxxxxx> > wrote: > > > > > On Apr 12, 2009, at 1:48 PM, Ron Piggott wrote: > > > > > >> Thanks. I got my script updated. Ron > >> > > > > There are a few other thing's that I didn't see mentioned... > > > > The best description of when to use what, is this.. Use POST when you are > > submitting a form for storing info, using GET when you are retrieving > from > > the server... > > > > GET can also be bookmarked and shared between computers without a > > problem... So depending on what your app is for that might be a > > consideration. > > > > POST does not display anything in the browser, so as others have said > it's > > perfect for login's since that info will never be visible to the user. > > > > as far as REQUEST goes... I personally don't think it's any less secure > > then POST or GET... As long as you do sanitization on the info that is > > appropriate for your app, REQUEST is fine.. > > > > Some people prefer to use GET and POST though because then they know > where > > the info is coming from... > > > > I think that's everything I wanted to add :) > > Just stuff to think about. > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > >
