Op 2/22/10 10:49 PM, John Black schreef:
> On 02/22/2010 11:42 PM, Michael Shadle wrote:
>> The difference here is you can at least have some control over the data
>> and expect it in a certain fashion. Also the behavior of cookies vs. get
>> vs. post are different (cookies have length and expiration limits, get
>> has length limits, post has server confgured limits)
> The cookie and post/get part is all mixed up now :)
> I use $_COOKIE when I want cookie information but I know that the data
> is not to be trusted and is easily fabricated.
> When reading get or post I just use $_REQUEST nowadays because I don't
> have to care how the submitting form is written. This makes my form
> handling data more portable.

a. if your updating/inserting/storing data for the user you should require
POST in order to mitigate CSRF et al - not to mention using a nonce in your 

b. when you use $_REQUEST like you do you assume it's either GET or POST data, 
it might be COOKIE data ... which will overwrite what is sent via GET or POST 
in the
$_REQUEST array .. which creates a potential for a denial-of-service attack on 
users of a site:

imagine an 'id' parameter for displaying articles, then imagine a
user was tricked into loading a cookie onto his machine for your domain with the
name of 'id' and a value of 1 ... said user would only ever be able to see the
article referred to be id=1 if you wrote code that took the 'id' parameter from 
$_REQUEST var.

... I advocate not trusting any data *and* being explicit about the input 
on which any particular piece of data is accepted in a given context. (GET, 
are 3 different vectors)

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to