I've already agreed it's the better standard but that doesn't mean it's
more secure. In your example if I check $_REQUEST and only that varible
than I would be validating the cookie, and using the cookie for input,
so if you post the same variable in both cookie and post than depending
on your ini settings, (which btw you can disable cookies from being
registered in $_REQUEST ;), than your post would be overwritten with
your cookie, it's not like you'll validate using $_POST and then use
$_REQUEST as the varible.
Your example is very flawed.
Joshua Simpson wrote:
On Thu, Feb 28, 2008 at 3:14 PM, Sean <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Joshua,
Simply by saying that it's more secure because it's more
standardized and better code design, doesn't make it more secure,
if you
can be hacked with request, you can be hacked by post and get too.
Standards in this case adds no more security than using tabs in your
code versus spaces. I do agree that it's the better practice overall,
but that doesn't mean it's more secure, just better written.
You need to dive into security more, then, because better written code
is almost always more secure. It's easier to maintain; and problems
with maintaining code are one of the biggest reasons web applications
get broken into.
Let's take my overwriting the cookie example. If you're doing
operations where you're cleansing the $_REQUEST code, and I can
override $_REQUEST with a cookie setting and bypass your validation,
where are you at now?
Easily maintainable code and easily readable code is, inherently, more
secure than unmaintainable code and unreadable code.
dw
--
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy
--
Sean Thayne,
Exit12
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
