--- Ben Edwards <[EMAIL PROTECTED]> wrote:
> what I don't understand is if $_GET is being used people can just
> change the URL anyway so why is it an issue?
It is only an issue in the sense that it hides the origin of data. An attacker
can leverage this fact to exploit weaknesses in your application. When a
developer uses $_GET['foo'] in his/her code, it is more obvious that the data
is tainted than if the developer uses $foo, which could be tainted or could be
filtered.
It also keeps client data from crossing over, and distinguishing between POST
data and GET data can be crucial in defending against attacks such as
Cross-Site Request Forgeries (CSRF).
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
