Re: [UPHPU] receiving with $_REQUEST

Thu, 28 Feb 2008 16:22:39 -0800

I agree with you that having standards and practicing them can save you from that situation, but I am still not agreeing with you on the fact that $_REQUEST is more secure than $_POST or $_GET, because if I write a small script for each of them, they will all be just as secure as the next.
The question posted by Wade was weither or not it increases security. Not weither or not you'll be less likely to open yourself up for an attack because you use $_POST to validate and use $_REQUEST as the varible to use in perhaps a query. Which btw I've never seen done :p 

Joshua Simpson wrote:




On Thu, Feb 28, 2008 at 4:02 PM, Sean <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:


    I've already agreed it's the better standard but that doesn't mean
    it's
    more secure. In your example if I check $_REQUEST and only that
    varible
    than I would be validating the cookie, and using the cookie for input,
    so if you post the same variable in both cookie and post than
    depending
    on your ini settings, (which btw you can disable cookies from being
    registered in $_REQUEST ;), than your post would be overwritten with
    your cookie, it's not like you'll validate using $_POST and then use
    $_REQUEST as the varible.


I'm talking about another developer, not an attack.


People don't mean to make their application insecure;  it's through 
sloppy coding and inconsistent and implicit development.  EXACTLY WHAT 
$_REQUEST PROMOTES.




Apparently, you still don't understand.  Let's take a look at what 
Shiflett says (as per Richard's link he posted earlier -- thanks Richard!)


Alek writes:

"The whole $_REQUEST being less secure than $_POST argument is bogus."

Shiflett writes:


"No, it's not. You really want to argue that lowering the barrier of 
entry has no affect? I think you'll be hard-pressed to find anyone who 
agrees with you. That being said, I explicitly state that POST 
requests can also be forged."



And he's not even mentioning the fact that implicit assumption of the 
method used is much worse (in almost any context) than an explicit 
declaration (although I guess that's assumed from his comment --- 
AIEEEE, implicitness!).


--
-
http://stderr.ws/

"Insert pseudo-insightful quote here." - Some Guy 


--

Sean Thayne,
Exit12


_______________________________________________

UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net





























					Reply via email to