Seeing the $_REQUEST[] and it is a matrix that has the content of $_GET,
$_POST and $_COOKIE, I think this can be used maliciously into the script.
i.e.:
request1.php
<?php
setCookie("name","alejandro");
echo "<script>location.href='request2.php'</script>";
?>
In this case, I'm setting the variable 'name' with value 'Alejandro', then
redirects to request2.php
request2.php
?php
print_r($_COOKIE);
echo "<br>";
print_r($_REQUEST);
echo "<br>";
if(@$_REQUEST['name'] == "admin"){
echo "I am admin";
}else{
echo "You can not see this page";
}
?>
Here's the problem. The variable called 'name' is into REQUEST context, and
this is accessible by GET and POST methods, and it is accessible by the
COOKIE matrix as well. In this case, use Request is unsafe because I can
change the variable called 'name' via GET method and it's give me access as
admin.
Mi question is: I do not see the good practice of using COOKIE values into
of REQUEST, what I mean is that it can become in a programming bug. Also I
could not fin answers anywhere else.
thoughts?
Thanks!
