|
Posted by "Richard Lynch" on 09/15/05 01:47
On Wed, September 14, 2005 1:57 pm, Dan Baker wrote:
> (snipped)
>> If you're going to use $_REQUEST you might as well just turn on
>> register
>> globals (no, don't!).
More mis-information.
$_REQUEST is simply the array_merge() of $_GET, $_POST, and $_COOKIE.
You either check the contents of any of those 4 $_XXXX variables for
what variables you expect.
Or you don't check the keys, in which case you might as well have
register_globals "on" because you *ARE* initializing your
un-initialized script variables with whatever comes in from the
outside world.
But it really does NOT matter that you assume all of $_REQUEST is
equally suspect, and validate that, and use it, instead of doing
GET/POST separately.
Or, at least, not in terms of register_globals being on/off.
If you are using the same variable in both GET and POST in one
request, yeah, you need to look into both to get the two values. But
that's usually a Bad Idea, since it's too confusing to get the same
variable in both at once.
But, really, the user over-writing GET data with POST data (or vice
versa) is a non-issue.
The malicious user can just as easily over-write POST data with
whatever POST data they want to send you in the first place!
register_globals is all about the user providing "default" values for
un-initialized variables.
It's got NOTHING to do with GET versus POST data being more/less
suspect , or GET/POST over-writing POST/GET
99.9% of the people who insist on using GET/POST instead of REQUEST
mistakenly believe that POST is "more secure" than GET. They're wrong
on that score.
There may be OTHER reasons to use GET/POST, if only to be clear on
where you expect the data to come from in the other parts of the
application, but it's not about "security"
It can't be about Security because POST and GET are equally easy to
forge and send in, so any Security measure based on them being
"different" is flawed, by definition.
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|