You are here: RE: [PHP] Re: trying to figure out the best/efficient way to tell whois logged into a site.. « PHP « IT news, forums, messages
RE: [PHP] Re: trying to figure out the best/efficient way to tell whois logged into a site..

Posted by "Richard Lynch" on 09/15/05 01:38

On Wed, September 14, 2005 2:08 pm, Jim Moseby wrote:
> Suppose you have a form that posts set hidden values. A malicious
> user
> could modify the URI to change those values.

Sure.

Or they could save your HTML on their hard drive, edit it in their
editor of choice (some of which require NO brains to drive) and then
POST the modified data back to you.

POST is *NOT* *NOT* *NOT* more "safe" nor less likely to be modified
than GET.

Well, okay, maybe the dumbest of the dumb can't figure out how to
save/edit HTML...

The point is that relying on POST being "safer" than the user
modifying the GET paramters of a URL is just plain silly.

You're putting a barrier in place that is about an eighth of an inch
high. It's not much of a barrier.

Meanwhile, you now have to clean *ALL* of $_GET/$_POST/$_COOKIE in
three different iterative constructs.

Or you could do *one* iteration and clean $_REQUEST, and ignore
$_GET/$_POST/$_COOKIE

> Which raises the question, in the scenario above, you may have an
> identical
> 'post' value and 'get' value submitted to the same page. Which takes
> precidence in $_REQUEST?

The precedence is CLEARLY defined in the GPC settings in php.ini!

If you don't like the default precedence order, feel free to change it.

Or you can accept the default precedence, which is probably the safest
assumption for portable code.

--
Like Music?
http://l-i-e.com/artists.htm

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация