On 02/22/2010 11:17 PM, Michael Shadle wrote:
"Secure" might be the wrong term here. As you can easily change GET to POST and vice-versa and send any cookies you like, this is why I tried to revise my statement and quantify it better... in a properly coded app it doesn't present much issue. However, it encourages laziness and PHP's barrier to entry is so easy that there is a lot of people who consider a cookie to be trusted, and overriding it with a simple GET parameter is too easy of an attack vector. At least make it difficult.
Just because someone believes that a cookie is something that can be trusted does not make it so. A properly coded app should not care how the client sends the information, only that the information is it valid and expected.
A cookie is the same thing as $_POST or $_GET data but it can be stored for a period of time, what happens to the stored data is out of our control. Treating one any different from the other is just wrong and will create apps with security holes.
For anybody who would like to try the GUI version of tampering with data sent to the server checkout TamperData for FireFox.
-- John Klarmachen zum Ändern! http://www.youtube.com/v/AYM-_qfytfA -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php