Re: $_POST vs $_REQUEST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 22, 2010 at 22:37, Michael Shadle <mike503@xxxxxxxxx> wrote:
> On Mon, Feb 22, 2010 at 1:30 PM, David Murphy <david@xxxxxxxxxxxxxxxxx> wrote:
>> Richard,
>>
>>
>> The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST,
>> they should ALL be treats as bad data until normalized and sanitized.  The
>> claim that it opens a security hole  is  just false, that’s like saying PHP
>> is insecure, its not it just allows for lazy coding such as $_REQUEST.
>
> It represents a way for people to exploit coders who don't know any better.
>
> Expecting a cookie value to come through in $_REQUEST but you could
> override using a query string parameter makes for easy exploitation.
> Probably not catastrophic but much easier to brute force things if you
> don't have to bother with cookies, or can fake a user identity easier;
> things of that nature.
>
> If you coded your app well, in theory it won't make much difference,
> however, why keep something out there that makes it easier for people
> to mess with your site, period?

Using $_REQUEST poses no security issues whatsoever. Just because
there are incompetent programmers doesn't mean that a language feature
is inherently insecure. It's entirely dependent on how you use it. A
pen is also dangerous if you stab someone in the eye with it. Certain
features in PHP may be dangerous if you give them to incompetent
people who don't know what they're doing.

Besides, whether or not you can "override" cookie values depends on
whether the programmer also uses $_REQUEST for cookie values and the
request_order php.ini directive. The value in the php.ini files that
ship with PHP 5.3 default to only including GET and POST data for
instance:
http://svn.php.net/viewvc/php/php-src/tags/php_5_3_1/php.ini-production?view=markup#l671

If an attacker can do an HTTP GET request, he can most likely also do
an HTTP POST request (and vice versa) and the input value will be no
more (in)secure regardless of the source. Using $_GET/$_POST in place
of $_REQUEST is no more than security theater in my opinion.

-- 
Daniel Egeberg

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux