On 02/22/2010 11:17 PM, Michael Shadle wrote:
"Secure" might be the wrong term here. As you can easily change GET to
POST and vice-versa and send any cookies you like, this is why I tried
to revise my statement and quantify it better... in a properly coded
app it doesn't present much issue. However, it encourages laziness and
PHP's barrier to entry is so easy that there is a lot of people who
consider a cookie to be trusted, and overriding it with a simple GET
parameter is too easy of an attack vector. At least make it difficult.

Just because someone believes that a cookie is something that can be trusted does not make it so. A properly coded app should not care how the client sends the information, only that the information is it valid and expected.

A cookie is the same thing as $_POST or $_GET data but it can be stored for a period of time, what happens to the stored data is out of our control. Treating one any different from the other is just wrong and will create apps with security holes.

For anybody who would like to try the GUI version of tampering with data sent to the server checkout TamperData for FireFox.

Klarmachen zum Ă„ndern!

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to