[FX.php List] $_REQUEST
Lindal, Mark
mlindal at pfc.cfs.nrcan.gc.ca
Wed Jul 30 17:04:44 MDT 2008
I just went through this with a battery of IT security 'experts', who
when they saw I used $_REQUEST went through the roof and wanted the site
shut down.
However, if you have the proper validation code in place, you can use
$_REQUEST. We spent exhaustive amounts of time validating everything.
Yes - the dangers of the $_GET have to be thought of and all $_GET
values need to be checked to see if it is real data or not. Hackers can
even set up $_POST values to send to insecure web sites.
The lesson we learned, was validate, validate, validate.
As long as your validation code is secure, there is no fear in using
$_REQUEST.
Mark
-----Original Message-----
From: Jonathan Schwartz [mailto:jschwartz at exit445.com]
Sent: Wednesday, July 30, 2008 3:00 PM
To: FX.php Discussion List
Subject: RE: [FX.php List] $_REQUEST
I assumed that everyone has this challenge. Folks arrive to a given page
from either a link using a GET or a from using a POST. Let's say that we
need to edit the page and the recid is the field in question.
Either the GET or the POST has to contain a recid or it's a no go....
if(isset($_GET['recid']) or isset($_POST[recid]) { Good }else{ Bad }
or, the other way...
if(!isset($_GET['recid']) and !isset($_POST[recid]) { Bad }else{ Good }
Of course, just testing for empty isn't good enough, so this code starts
to expand. ;-)
Just thought that the $_REQUEST was a simpler approach that I had
overlooked.
J
At 4:40 PM -0500 7/30/08, Andrew Denman wrote:
>
>I have not yet had an instance where I'm using both POST and GET so I
>haven't used $_REQUEST and cannot provide first-hand experience.
>detection.
>
>Andrew Denman
--
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011
More information about the FX.php_List
mailing list