On Mon, Feb 22, 2010 at 2:07 PM, John Black
<s...@network-technologies.org> wrote:

> And how is this more secure? I can create a cookie, send post or get on my
> client machine and send anything I want to the server. Just because you are
> getting a cookie does not mean that you created it :)
> So you might as well use request because the data can not be trusted either
> way.

Kind of like saying "why bother exercising and keeping healthy - we're
going to die anyway"

"Secure" might be the wrong term here. As you can easily change GET to
POST and vice-versa and send any cookies you like, this is why I tried
to revise my statement and quantify it better... in a properly coded
app it doesn't present much issue. However, it encourages laziness and
PHP's barrier to entry is so easy that there is a lot of people who
consider a cookie to be trusted, and overriding it with a simple GET
parameter is too easy of an attack vector. At least make it difficult.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to