php-general Digest 6 Sep 2011 21:47:39 -0000 Issue 7469
Topics (messages 314718 through 314719):
Learn how to have a smooth skin
314718 by: Learn how to have a smooth skin
REQUEST and COOKIE
314719 by: ALEJANDRO ZAPIOLA
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Learn how to have a smooth skin.
http://www.removehair.xhost.ro
--- End Message ---
--- Begin Message ---
Seeing the $_REQUEST[] and it is a matrix that has the content of $_GET,
$_POST and $_COOKIE, I think this can be used maliciously into the script.
i.e.:
request1.php
<?php
setCookie("name","alejandro");
echo "<script>location.href='request2.php'</script>";
?>
In this case, I'm setting the variable 'name' with value 'Alejandro', then
redirects to request2.php
request2.php
?php
print_r($_COOKIE);
echo "<br>";
print_r($_REQUEST);
echo "<br>";
if(@$_REQUEST['name'] == "admin"){
echo "I am admin";
}else{
echo "You can not see this page";
}
?>
Here's the problem. The variable called 'name' is into REQUEST context, and
this is accessible by GET and POST methods, and it is accessible by the
COOKIE matrix as well. In this case, use Request is unsafe because I can
change the variable called 'name' via GET method and it's give me access as
admin.
Mi question is: I do not see the good practice of using COOKIE values into
of REQUEST, what I mean is that it can become in a programming bug. Also I
could not fin answers anywhere else.
thoughts?
Thanks!
--- End Message ---
