The difference here is you can at least have some control over the
data and expect it in a certain fashion. Also the behavior of cookies
vs. get vs. post are different (cookies have length and expiration
limits, get has length limits, post has server confgured limits)
Like I said a properly coded app won't really suffer much but why
allow for lazy coding practices and non properly
coded apps to be exploited as easy? The great deal of apps out there
are not properly coded. Again I reference my metaphor about dying. At
least try to put effort into something.
On Feb 22, 2010, at 2:26 PM, John Black <spam@network-
technologies.org> wrote:
On 02/22/2010 11:17 PM, Michael Shadle wrote:
"Secure" might be the wrong term here. As you can easily change GET
to
POST and vice-versa and send any cookies you like, this is why I
tried
to revise my statement and quantify it better... in a properly coded
app it doesn't present much issue. However, it encourages laziness
and
PHP's barrier to entry is so easy that there is a lot of people who
consider a cookie to be trusted, and overriding it with a simple GET
parameter is too easy of an attack vector. At least make it
difficult.
Just because someone believes that a cookie is something that can be
trusted does not make it so. A properly coded app should not care
how the client sends the information, only that the information is
it valid and expected.
A cookie is the same thing as $_POST or $_GET data but it can be
stored for a period of time, what happens to the stored data is out
of our control. Treating one any different from the other is just
wrong and will create apps with security holes.
For anybody who would like to try the GUI version of tampering with
data sent to the server checkout TamperData for FireFox.
--
John
Klarmachen zum Ändern!
http://www.youtube.com/v/AYM-_qfytfA
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
