On Mon, Feb 22, 2010 at 1:30 PM, David Murphy <da...@icewatermedia.com> wrote:
> Richard,
> The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST,
> they should ALL be treats as bad data until normalized and sanitized.  The
> claim that it opens a security hole  is  just false, that’s like saying PHP
> is insecure, its not it just allows for lazy coding such as $_REQUEST.

It represents a way for people to exploit coders who don't know any better.

Expecting a cookie value to come through in $_REQUEST but you could
override using a query string parameter makes for easy exploitation.
Probably not catastrophic but much easier to brute force things if you
don't have to bother with cookies, or can fake a user identity easier;
things of that nature.

If you coded your app well, in theory it won't make much difference,
however, why keep something out there that makes it easier for people
to mess with your site, period?

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to