[FX.php List] $_REQUEST
Kevin Futter
kfutter at sbc.melb.catholic.edu.au
Wed Jul 30 16:24:34 MDT 2008
On 31/07/08 8:00 AM, "Jonathan Schwartz" <jschwartz at exit445.com> wrote:
> I assumed that everyone has this challenge. Folks arrive to a given
> page from either a link using a GET or a from using a POST. Let's say
> that we need to edit the page and the recid is the field in question.
> Either the GET or the POST has to contain a recid or it's a no go....
>
> if(isset($_GET['recid']) or isset($_POST[recid])
> {
> Good
> }else{
> Bad
> }
>
> or, the other way...
>
> if(!isset($_GET['recid']) and !isset($_POST[recid])
> {
> Bad
> }else{
> Good
> }
>
> Of course, just testing for empty isn't good enough, so this code
> starts to expand. ;-)
>
> Just thought that the $_REQUEST was a simpler approach that I had overlooked.
>
> J
>
>
> At 4:40 PM -0500 7/30/08, Andrew Denman wrote:
>>
>> I have not yet had an instance where I'm using both POST and GET so I
>> haven't used $_REQUEST and cannot provide first-hand experience.
>> detection.
>>
>> Andrew Denman
Jonathan,
$_REQUEST is inherently insecure for some of the reasons already suggested,
and I'd avoid using it. I think they even say as much in the PHP manual
(though my memory may be playing tricks on me there). It becomes too easy
for a hacker to slip something into a $_GET string that you're not
explicitly checking for, and get it by you. It's too fast and loose.
--
Kevin Futter
Webmaster, St. Bernard's College
http://www.sbc.melb.catholic.edu.au/
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal
#####################################################################################
This e-mail and any attachments may be confidential. You must not disclose or use the information in this e-mail if you are not the intended recipient. If you have received this e-mail in error, please notify us immediately and delete the e-mail and all copies. The College does not guarantee that this e-mail is virus or error free. The attached files are provided and may only be used on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from the use of the attached files, whether caused by the negligence of the sender or not. The content and opinions in this e-mail are not necessarily those of the College.
More information about the FX.php_List
mailing list