Op 2/23/10 10:27 AM, Ashley Sheridan schreef:
> On Tue, 2010-02-23 at 09:19 +0000, Richard wrote:
>> Hi,
>> Well people better than me (how is that possible?!) have said that
>> $_REQUEST has the potential to open your app up to security
>> vulnerabilities, and that it should be avoided because of that. Here's
>> a post from Stephan Esser about it on the PHP-Internals list:
>> http://www.mail-archive.com/intern...@lists.php.net/msg32832.html
>> Stephan heads up the Hardened-PHP project and when it comes to
>> security, I don't know of anyone better. So, if he advises not to use
>> _REQUEST, it's a good idea to follow that advice.
>> -- 
>> Richard Heyes
> Well, he's only saying there that it 'most probably vulnerable' and
> mentions that cookies can overwrite post and get data. This isn't a
> problem with $_REQUEST itself but rather an applications' use of it. So
> what if someone crafts a cookie to send a bad value. If someone has the
> gen to do that, then they are going to know how to send get and post
> values as well. Only decent sanitisation will be able to protect against
> this.
> If the order of override variables in $_REQUEST is such an issue too,
> use the request_order ini setting to specify the order you'd prefer.
> I've never had any issues with using $_REQUEST, but found a lot of
> advantages to using it, as I often use a mix of data sources in the same
> app.

and that is exactly Essers point. you use $_REQUEST and assume the data came
from either GET or POST ... I'd hazard a guess your apps never expect such 
data to be coming via COOKIE ... so your app will work as 'advertised' but if 
one happens to slip a cookie onto someone else machine whose name matches some
rather important GET/POST input then it's that user who potentially has just 
a denial of service - and you'll get the blame for the fact things don't work 
you'll probably never be able to work out that it's a rogue cookie on the 
client putting
a spanner in the works. (imagine you have an 'id' parameter and I managed to 
set a
cookie on your users' machine called 'id' with a value of 1 ... have fun with 

you should be as strict with exceptable input vectors as you are with 
of the actual input.

use of $_REQUEST is rather lazy - if you want to except either POST or GET for 
a given
input write a simple wrapper function for that specific requirement - this will 
save you from unforeseen problems related to incorrect or changed values for the
request_order ini setting.

> Thanks,
> Ash
> http://www.ashleysheridan.co.uk

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to