|
|
Posted by Sebastiaan 'CrashandDie' Lauwers on 06/08/07 22:32
peter wrote:
> The convention is to actually use $_POST or $_GET and $_COOKIE and not
> $_REQUEST as you SHOULD know from where the data has come.
That's just crap.
> You as the programmer should ALWAYS know which method data has come to your
> script.
BS, and you know it.
"I'm sure it came in through POST"
So what ?
Faulty security: "I check that the data DID come in through POST (also
works for GET/Cookies)
Rule: It is completely futile to check if data did come in through POST
rather that using GET (or the other way around) or from a cookie.
Why: It's a piece of cake to send you data. You want GET ? To use get,
just telnet www.target.tld 80 or even easier, just type the variables
into the URL bar of a browser. You want POST ? To use POST, you just
need to save the form to your hard drive, change it open the file, and
hit "Submit". Want a cookie ? A cookie is merely a text file written in
the right place on your hard drive. You could even use wget or cURL to
send the same data 10 or 50 times per second for an hour...
Thus: It's the content of the data that is important, the means of
transmission is completely irrelevant.
Using PHP, just use REQUEST instead of over-complexing your code, using
$_GET here and $_POST there...
(courtesy of JG)
Remember, you do not need to know if it was typed in the URL, or came in
regularly from your form, the only thing you need to know, is if the
data in trustworthy.
As it comes from a client; it never is !
S.
Navigation:
[Reply to this message]
|