On Mon, Feb 22, 2010 at 2:07 PM, John Black <spam@xxxxxxxxxxxxxxxxxxxxxxxx> wrote: > And how is this more secure? I can create a cookie, send post or get on my > client machine and send anything I want to the server. Just because you are > getting a cookie does not mean that you created it :) > > So you might as well use request because the data can not be trusted either > way. Kind of like saying "why bother exercising and keeping healthy - we're going to die anyway" "Secure" might be the wrong term here. As you can easily change GET to POST and vice-versa and send any cookies you like, this is why I tried to revise my statement and quantify it better... in a properly coded app it doesn't present much issue. However, it encourages laziness and PHP's barrier to entry is so easy that there is a lot of people who consider a cookie to be trusted, and overriding it with a simple GET parameter is too easy of an attack vector. At least make it difficult. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php