$_REQUEST is not particularly dangerous compared to $_GET or $_POST, it is just one more validation you can make: if you expect data from a POST, check it from POST. That's why I mentioned that form where I entered my personal data, the form was sent as POST but it took a faked GET from me, that's one mistake, but the worst was that the validation done in JavaScript on the client side was not repeated on the server side so it let my ID card number through. If they had done the data validation, it would have rejected my data whether it came via GET or POST.

Your application might require that flexibility or accepting data via POST or GET, in which case, it is just fine. Contrary to another post I've read, there is nothing good of register_globals, that is why it is now defaulted to off and kept for compatibility, though highly discouraged. There is nothing intrinsically wrong with $_REQUEST, it is slightly more vulnerable than differentiating POSTs from GETs, but it is not the worst you can do

Satyam

----- Original Message ----- From: "Martin Marques" <martin@bugs.unl.edu.ar>
To: "Satyam" <[EMAIL PROTECTED]>
Cc: <php-general@lists.php.net>
Sent: Saturday, June 17, 2006 11:22 PM
Subject: Re: [PHP] GET, POST, REQUEST



On Sat, 17 Jun 2006 15:01:23 +0200, "Satyam" <[EMAIL PROTECTED]> wrote:
In general, user input should never be trusted. Someone once told me that if you ask for yes or no, you should always validate for yes, no and don't know (of course, this was before windowed environments where the users can
only click what you offer them).

Yes, I do validation. Incoming data is insearted to objects via methods that validate it first.

What I was asking is why the $_REQUEST is untrueted while $_POST and $_GET are (or at least the are not explicitly untrusted).

--
---------------------------------------------------------
Lic. Martín Marqués         |   SELECT 'mmarques' ||
Centro de Telemática        |       '@' || 'unl.edu.ar';
Universidad Nacional        |   DBA, Programador,
   del Litoral             |   Administrador
---------------------------------------------------------

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to