[FX.php List] $_REQUEST
Leo R. Lundgren
leo at finalresort.org
Wed Jul 30 16:33:12 MDT 2008
31 jul 2008 kl. 00.24 skrev Kevin Futter:
> On 31/07/08 8:00 AM, "Jonathan Schwartz" <jschwartz at exit445.com>
> wrote:
>
>> I assumed that everyone has this challenge. Folks arrive to a given
>> page from either a link using a GET or a from using a POST. Let's say
>> that we need to edit the page and the recid is the field in question.
>> Either the GET or the POST has to contain a recid or it's a no go....
>>
>> if(isset($_GET['recid']) or isset($_POST[recid])
>> {
>> Good
>> }else{
>> Bad
>> }
>>
>> or, the other way...
>>
>> if(!isset($_GET['recid']) and !isset($_POST[recid])
>> {
>> Bad
>> }else{
>> Good
>> }
>>
>> Of course, just testing for empty isn't good enough, so this code
>> starts to expand. ;-)
>>
>> Just thought that the $_REQUEST was a simpler approach that I had
>> overlooked.
>>
>> J
>>
>>
>> At 4:40 PM -0500 7/30/08, Andrew Denman wrote:
>>>
>>> I have not yet had an instance where I'm using both POST and GET
>>> so I
>>> haven't used $_REQUEST and cannot provide first-hand experience.
>>> detection.
>>>
>>> Andrew Denman
>
> Jonathan,
>
> $_REQUEST is inherently insecure for some of the reasons already
> suggested,
> and I'd avoid using it. I think they even say as much in the PHP
> manual
> (though my memory may be playing tricks on me there). It becomes
> too easy
> for a hacker to slip something into a $_GET string that you're not
> explicitly checking for, and get it by you. It's too fast and loose.
>
> --
> Kevin Futter
> Webmaster, St. Bernard's College
> http://www.sbc.melb.catholic.edu.au/
>
In any case, what it all comes down to in the end is that the
programmer must be the one in control of the flow, and make sure that
whatever trash comes in as part of a direct attack or a XSS or
whatever, is validated, cleaned, and handled in a safe way. If that
is taken care of, then you're pretty good. Of course, who can know
that they've done a safe job? Not always as easy, which is why it
might be a good idea to listen to recommendations :)
-|
More information about the FX.php_List
mailing list