You are here: RE: [PHP] Re: trying to figure out the best/efficient way to tell whois logged into a site.. « PHP « IT news, forums, messages
RE: [PHP] Re: trying to figure out the best/efficient way to tell whois logged into a site..

Posted by Jim Moseby on 09/14/05 22:08

> (snipped)
> "Ben" <ben@emediastudios.com> wrote in message
> news:43285F71.50101@emediastudios.com...
> > Gustav Wiberg wrote:
> >> if (isset($_REQUEST["frmUsername"])) {
> >>
> >> $un = $_REQUEST["frmUsername"];
> >
> > If you're going to use $_REQUEST you might as well just
> turn on register
> > globals (no, don't!).
> >
> > If you're expecting a post look for a $_POST, if you're
> expecting a get
> > look for a $_GET. Ditto with cookies. You really need to
> know where your
> > variables are coming from if you want a measure of security.
>
> Why is using $_REQUEST a security issue? You know every
> value in the entire
> array came from the end-user, and needs to be validated
> somehow. If your
> code is written so the end-user can send this data to you via a
> POST/GET/COOKIE, why not use $_REQUEST?

Suppose you have a form that posts set hidden values. A malicious user
could modify the URI to change those values.

Which raises the question, in the scenario above, you may have an identical
'post' value and 'get' value submitted to the same page. Which takes
precidence in $_REQUEST?

JM

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация