|
Posted by "Dan Baker" on 09/14/05 21:57
(snipped)
"Ben" <ben@emediastudios.com> wrote in message
news:43285F71.50101@emediastudios.com...
> Gustav Wiberg wrote:
>> if (isset($_REQUEST["frmUsername"])) {
>>
>> $un = $_REQUEST["frmUsername"];
>
> If you're going to use $_REQUEST you might as well just turn on register
> globals (no, don't!).
>
> If you're expecting a post look for a $_POST, if you're expecting a get
> look for a $_GET. Ditto with cookies. You really need to know where your
> variables are coming from if you want a measure of security.
Why is using $_REQUEST a security issue? You know every value in the entire
array came from the end-user, and needs to be validated somehow. If your
code is written so the end-user can send this data to you via a
POST/GET/COOKIE, why not use $_REQUEST?
Just trying to learn.
DanB
[Back to original message]
|