Posted by "Dan Baker" on 09/14/05 23:04

"Ben" <ben@emediastudios.com> wrote in message
news:43287B03.4000500@emediastudios.com...
> Dan Baker wrote:
>
>> Why is using $_REQUEST a security issue? You know every value in the
>> entire array came from the end-user, and needs to be validated somehow.
>> If your code is written so the end-user can send this data to you via a
>> POST/GET/COOKIE, why not use $_REQUEST?
>
> On the one hand, you can't trust anything that came from the client, but
> on the other if you're expecting a variable to come from a cookie and
> instead it comes from a get you know something weird is going on, but
> using $_REQUEST you'll be oblivious. You ought to know where your
> variable values are coming from, $_REQUEST hides this.

Interesting, but I think I wouldn't spend the extra code to detect if I was
expecting a POST, but got a GET. If I didn't get the value from POST, I'd
just assume it wasn't there -- I wouldn't go looking elsewhere for it, and
report an error.

The *main* reason I use $_REQUEST is so I can code up GET and POST pages
that all are handled by the same php functions. I may have an item called
"Key" that contains what the end-user is expected to be doing ("User.Create"
or "User.Edit" or whatever). Then I may have a link (GET) that has
?Key=User.Create, while a form (POST) that has a hidden value "Key" with
value "User.Create". I don't really care if it came from a GET or POST --
if the data is all valid, I'll allow it to work.

> In older versions of PHP4 this is even more of an issue since $_FILE
> information was also included in $_REQUEST. If someone uploades a file
> while including conflicting information from another source (cookie, post,
> get) this could lead to all sorts of problems.

I didn't know this one. This might cause problems for me.

> And the lazy guy answer... typing $_POST and $_GET is faster than typing
> $_REQUEST ;-).

This is, by far, the best reason I've ever heard! <grin>

DanB

[Back to original message]