On Thu, Feb 28, 2008 at 4:18 PM, Sean <[EMAIL PROTECTED]> wrote: > I agree with you that having standards and practicing them can save you > from that situation, but I am still not agreeing with you on the fact > that $_REQUEST is more secure than $_POST or $_GET, because if I write a > small script for each of them, they will all be just as secure as the > next. >
Security isn't necessarily about fixing just the apparent holes in your application; it has to do with a lot more than that. It has to do with your design and security paradigm, which, when you use $_REQUEST, is flawed. If you use the underlying protocol inappropriately (HTTP and it's methods), you're introducing a whole new set of problems. I've said that using $_REQUEST isn't a security hole per se; what I'm saying is that by introducing $_REQUEST, you're introducing yet another possibility of unexpected bugs. Unexpected bugs can lead to security holes. > The question posted by Wade was weither or not it increases security. > Not weither or not you'll be less likely to open yourself up for an > attack because you use $_POST to validate and use $_REQUEST as the > varible to use in perhaps a query. Which btw I've never seen done :p > And if you read my original response, you'll see the point I was trying to make. If people (especially a whole slew of PHP developers) had a proper security practice and design approach in place from the start, you wouldn't see nearly as many unexpected security holes in their application's. THAT is my argument. And that by subverting the HTTP protocol by treating GET and POST requests the same, you're just plain dumb. Being dumb leads to security problems too. -- - http://stderr.ws/ "Insert pseudo-insightful quote here." - Some Guy _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
