|
Posted by peter on 06/08/07 22:48
> That's just crap.
>
>> You as the programmer should ALWAYS know which method data has come to
>> your script.
>
> BS, and you know it.
>
> "I'm sure it came in through POST"
>
> So what ?
>
> Faulty security: "I check that the data DID come in through POST (also
> works for GET/Cookies)
>
> Rule: It is completely futile to check if data did come in through POST
> rather that using GET (or the other way around) or from a cookie.
>
> Why: It's a piece of cake to send you data. You want GET ? To use get,
> just telnet www.target.tld 80 or even easier, just type the variables into
> the URL bar of a browser. You want POST ? To use POST, you just need to
> save the form to your hard drive, change it open the file, and hit
> "Submit". Want a cookie ? A cookie is merely a text file written in the
> right place on your hard drive. You could even use wget or cURL to send
> the same data 10 or 50 times per second for an hour...
>
> Thus: It's the content of the data that is important, the means of
> transmission is completely irrelevant.
>
> Using PHP, just use REQUEST instead of over-complexing your code, using
> $_GET here and $_POST there...
>
> (courtesy of JG)
>
> Remember, you do not need to know if it was typed in the URL, or came in
> regularly from your form, the only thing you need to know, is if the data
> in trustworthy.
>
> As it comes from a client; it never is !
The following is from php's own manual:-
It's even possible to take preventative measures to warn when forging is
being attempted. If you know ahead of time exactly where a variable should
be coming from, you can check to see if the submitted data is coming from an
inappropriate kind of submission. While it doesn't guarantee that data has
not been forged, it does require an attacker to guess the right kind of
forging. If you don't care where the request data comes from, you can use
$_REQUEST as it contains a mix of GET, POST and COOKIE data. See also the
manual section on using variables from outside of PHP.
SOURCE http://ch2.php.net/register_globals
Also take a read of http://www.owasp.org/index.php/PHP_Top_5
[Back to original message]
|