The difference here is you can at least have some control over the data and expect it in a certain fashion. Also the behavior of cookies vs. get vs. post are different (cookies have length and expiration limits, get has length limits, post has server confgured limits)

Like I said a properly coded app won't really suffer much but why allow for lazy coding practices and non properly coded apps to be exploited as easy? The great deal of apps out there are not properly coded. Again I reference my metaphor about dying. At least try to put effort into something.


On Feb 22, 2010, at 2:26 PM, John Black <s...@network- technologies.org> wrote:

On 02/22/2010 11:17 PM, Michael Shadle wrote:
"Secure" might be the wrong term here. As you can easily change GET to POST and vice-versa and send any cookies you like, this is why I tried
to revise my statement and quantify it better... in a properly coded
app it doesn't present much issue. However, it encourages laziness and
PHP's barrier to entry is so easy that there is a lot of people who
consider a cookie to be trusted, and overriding it with a simple GET
parameter is too easy of an attack vector. At least make it difficult.

Just because someone believes that a cookie is something that can be trusted does not make it so. A properly coded app should not care how the client sends the information, only that the information is it valid and expected.

A cookie is the same thing as $_POST or $_GET data but it can be stored for a period of time, what happens to the stored data is out of our control. Treating one any different from the other is just wrong and will create apps with security holes.

For anybody who would like to try the GUI version of tampering with data sent to the server checkout TamperData for FireFox.

--
John
Klarmachen zum Ă„ndern!
http://www.youtube.com/v/AYM-_qfytfA

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to