On 09/06/2011 05:47 PM, ALEJANDRO ZAPIOLA wrote:
> Seeing the $_REQUEST[] and it is a matrix that has the content of $_GET,
> $_POST and $_COOKIE, I think this can be used maliciously into the script.
> i.e.:
> request1.php
> <?php
>         setCookie("name","alejandro");
>         echo "<script>location.href='request2.php'</script>";
> ?>
> In this case, I'm setting the variable 'name' with value 'Alejandro', then
> redirects to request2.php
> request2.php
> ?php
>         print_r($_COOKIE);
>         echo "<br>";
>         print_r($_REQUEST);
>         echo "<br>";
>         if(@$_REQUEST['name'] == "admin"){
>                 echo "I am admin";
>         }else{
>                 echo "You can not see this page";
>         }
> ?>
> Here's the problem. The variable called 'name' is into REQUEST context, and
> this is accessible by GET and POST methods, and it is accessible by the
> COOKIE matrix as well. In this case, use Request is unsafe because I can
> change the variable called 'name' via GET method and it's give me access as
> admin.
> Mi question is: I do not see the good practice of using COOKIE values into
> of REQUEST, what I mean is that it can become in a programming bug. Also I
> could not fin answers anywhere else.
> thoughts?
> Thanks!

Why would you use this method to for authentication or validation? By
default, $_REQUEST is populated with the $_GET, $_POST and $_COOKIE
contents, which could potentially be modified by the remote user, which
in turns makes the data not trustworthy.

Never trust input data, ever, it must be sanitized, scrubbed, etc before
even considering it trustworthy - in my opinion.

As for your question, it makes complete sense to populate $_REQUEST with
$_GET, $_POST and $_COOKIE contents by default because the three call in
the REQUEST category for the HTTP protocol. Since the cookie was sent by
the server, the COOKIE header is going to be evident in the REQUEST headers.

Therefore, the only way a bug is going to be introduced and security
breached is by the author of the code ;)


The PHP team even makes mention that the contents of $_REQUEST cannot be


Reply via email to