On Mon, Feb 22, 2010 at 22:37, Michael Shadle <mike503@xxxxxxxxx> wrote: > On Mon, Feb 22, 2010 at 1:30 PM, David Murphy <david@xxxxxxxxxxxxxxxxx> wrote: >> Richard, >> >> >> The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST, >> they should ALL be treats as bad data until normalized and sanitized. The >> claim that it opens a security hole is just false, that’s like saying PHP >> is insecure, its not it just allows for lazy coding such as $_REQUEST. > > It represents a way for people to exploit coders who don't know any better. > > Expecting a cookie value to come through in $_REQUEST but you could > override using a query string parameter makes for easy exploitation. > Probably not catastrophic but much easier to brute force things if you > don't have to bother with cookies, or can fake a user identity easier; > things of that nature. > > If you coded your app well, in theory it won't make much difference, > however, why keep something out there that makes it easier for people > to mess with your site, period? Using $_REQUEST poses no security issues whatsoever. Just because there are incompetent programmers doesn't mean that a language feature is inherently insecure. It's entirely dependent on how you use it. A pen is also dangerous if you stab someone in the eye with it. Certain features in PHP may be dangerous if you give them to incompetent people who don't know what they're doing. Besides, whether or not you can "override" cookie values depends on whether the programmer also uses $_REQUEST for cookie values and the request_order php.ini directive. The value in the php.ini files that ship with PHP 5.3 default to only including GET and POST data for instance: http://svn.php.net/viewvc/php/php-src/tags/php_5_3_1/php.ini-production?view=markup#l671 If an attacker can do an HTTP GET request, he can most likely also do an HTTP POST request (and vice versa) and the input value will be no more (in)secure regardless of the source. Using $_GET/$_POST in place of $_REQUEST is no more than security theater in my opinion. -- Daniel Egeberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
