On 02/22/2010 11:17 PM, Michael Shadle wrote:
"Secure" might be the wrong term here. As you can easily change GET to
POST and vice-versa and send any cookies you like, this is why I tried
to revise my statement and quantify it better... in a properly coded
app it doesn't present much issue. However, it encourages laziness and
PHP's barrier to entry is so easy that there is a lot of people who
consider a cookie to be trusted, and overriding it with a simple GET
parameter is too easy of an attack vector. At least make it difficult.
Just because someone believes that a cookie is something that can be
trusted does not make it so. A properly coded app should not care how
the client sends the information, only that the information is it valid
A cookie is the same thing as $_POST or $_GET data but it can be stored
for a period of time, what happens to the stored data is out of our
control. Treating one any different from the other is just wrong and
will create apps with security holes.
For anybody who would like to try the GUI version of tampering with data
sent to the server checkout TamperData for FireFox.
Klarmachen zum Ändern!
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php