On Mon, Feb 22, 2010 at 1:30 PM, David Murphy <david@xxxxxxxxxxxxxxxxx> wrote: > Richard, > > > The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST, > they should ALL be treats as bad data until normalized and sanitized. The > claim that it opens a security hole is just false, that’s like saying PHP > is insecure, its not it just allows for lazy coding such as $_REQUEST. It represents a way for people to exploit coders who don't know any better. Expecting a cookie value to come through in $_REQUEST but you could override using a query string parameter makes for easy exploitation. Probably not catastrophic but much easier to brute force things if you don't have to bother with cookies, or can fake a user identity easier; things of that nature. If you coded your app well, in theory it won't make much difference, however, why keep something out there that makes it easier for people to mess with your site, period? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
