|
|
Posted by Erwin Moller on 05/17/07 08:45
jmark@fastermail.com wrote:
> On May 16, 3:05 pm, Schraalhans Keukenmeester <inva...@invalid.spam>
> wrote:
>> At Wed, 16 May 2007 20:17:07 +0200, Erwin Moller let his monkeys type:
>>
>> > j...@fastermail.com wrote:
>>
>> >> I have seen some code like
>> >> $value = strval($REQUEST['value']);
>>
>> >> I would like to know what is the use of strval here since $_REQUEST
>> >> values are strings?
>>
>> > PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.
>>
>> Erwin, what's wrong with using $_REQUEST instead of $_GET / $_POST ?
>> Security issue?
>>
>> Sh.
>
> This is more similar to a type checking issue and not security.
> $_REQUEST can be either a get, a post, or a cookie variable. There are
> circumstances where its more convenient to use $_REQUEST, like if you
> have to call a certain script using either get or post method.
Yes, excactly what I ment.
A little more elaborated explanation:
Problem with $_REQUEST is that it gets populated (virtually I think) from
POST GET COOKIE.
If you KNOW what you are receiving, use the right array.
And yes, I have been in circumstances in which it was convienient for me to
use $_REQUEST, but not often.
It is more a check for the programmer than a security issue.
A silly example:
I expect from a form-posting the name 'example1', but in the form I wrote
'exmple1'.
If I have a cookie in use named 'example1' or in my URL something like:
http://www.example.com/test.php?example1=45
Then using $_REQUEST will fill retrieve the 'example' name/value pair from
the wrong place.
That is why I advise using the superglobal you KNOW you are using.
SO it is not really a security issue (because everybody should check info
from cookie, get and post anyway), but more a line of protection against
coding/thinking mistakes.
just my 2 cent..
Regards,
Erwin Moller
Navigation:
[Reply to this message]
|