On Tue, 2010-02-23 at 09:19 +0000, Richard wrote: > Hi, > > Well people better than me (how is that possible?!) have said that > $_REQUEST has the potential to open your app up to security > vulnerabilities, and that it should be avoided because of that. Here's > a post from Stephan Esser about it on the PHP-Internals list: > > http://www.mail-archive.com/internals@xxxxxxxxxxxxx/msg32832.html > > Stephan heads up the Hardened-PHP project and when it comes to > security, I don't know of anyone better. So, if he advises not to use > _REQUEST, it's a good idea to follow that advice. > > -- > Richard Heyes > Well, he's only saying there that it 'most probably vulnerable' and mentions that cookies can overwrite post and get data. This isn't a problem with $_REQUEST itself but rather an applications' use of it. So what if someone crafts a cookie to send a bad value. If someone has the gen to do that, then they are going to know how to send get and post values as well. Only decent sanitisation will be able to protect against this. If the order of override variables in $_REQUEST is such an issue too, use the request_order ini setting to specify the order you'd prefer. I've never had any issues with using $_REQUEST, but found a lot of advantages to using it, as I often use a mix of data sources in the same app. Thanks, Ash http://www.ashleysheridan.co.uk
