You are here: Re: trying to figure out the best/efficient way to tell whois logged into a site.. « PHP « IT news, forums, messages
Re: trying to figure out the best/efficient way to tell whois logged into a site..

Posted by Ben on 09/14/05 22:33

Dan Baker wrote:

> Why is using $_REQUEST a security issue? You know every value in the entire
> array came from the end-user, and needs to be validated somehow. If your
> code is written so the end-user can send this data to you via a
> POST/GET/COOKIE, why not use $_REQUEST?

On the one hand, you can't trust anything that came from the client, but
on the other if you're expecting a variable to come from a cookie and
instead it comes from a get you know something weird is going on, but
using $_REQUEST you'll be oblivious. You ought to know where your
variable values are coming from, $_REQUEST hides this.

In older versions of PHP4 this is even more of an issue since $_FILE
information was also included in $_REQUEST. If someone uploades a file
while including conflicting information from another source (cookie,
post, get) this could lead to all sorts of problems.

And the lazy guy answer... typing $_POST and $_GET is faster than
typing $_REQUEST ;-).

- Ben

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация