On Thu, Feb 28, 2008 at 4:02 PM, Sean <[EMAIL PROTECTED]> wrote: > I've already agreed it's the better standard but that doesn't mean it's > more secure. In your example if I check $_REQUEST and only that varible > than I would be validating the cookie, and using the cookie for input, > so if you post the same variable in both cookie and post than depending > on your ini settings, (which btw you can disable cookies from being > registered in $_REQUEST ;), than your post would be overwritten with > your cookie, it's not like you'll validate using $_POST and then use > $_REQUEST as the varible. >
I'm talking about another developer, not an attack. People don't mean to make their application insecure; it's through sloppy coding and inconsistent and implicit development. EXACTLY WHAT $_REQUEST PROMOTES. Apparently, you still don't understand. Let's take a look at what Shiflett says (as per Richard's link he posted earlier -- thanks Richard!) Alek writes: "The whole $_REQUEST being less secure than $_POST argument is bogus." Shiflett writes: "No, it's not. You really want to argue that lowering the barrier of entry has no affect? I think you'll be hard-pressed to find anyone who agrees with you. That being said, I explicitly state that POST requests can also be forged." And he's not even mentioning the fact that implicit assumption of the method used is much worse (in almost any context) than an explicit declaration (although I guess that's assumed from his comment --- AIEEEE, implicitness!). -- - http://stderr.ws/ "Insert pseudo-insightful quote here." - Some Guy _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
