[UPHPU] receiving with $_REQUEST

Joshua Simpson std3rr at gmail.com
Thu Feb 28 16:25:21 MST 2008


On Thu, Feb 28, 2008 at 3:14 PM, Sean <sean at lookin3d.com> wrote:

> Joshua,
>
>    Simply by saying that it's more secure because it's more
> standardized and better code design, doesn't make it more secure, if you
> can be hacked with request, you can be hacked by post and get too.
> Standards in this case adds no more security than using tabs in your
> code versus spaces. I do agree that it's the better practice overall,
> but that doesn't mean it's more secure, just better written.
>
>
You need to dive into security more, then, because better written code is
almost always more secure.  It's easier to maintain;  and problems with
maintaining code are one of the biggest reasons web applications get broken
into.

Let's take my overwriting the cookie example.  If you're doing operations
where you're cleansing the $_REQUEST code, and I can override $_REQUEST with
a cookie setting and bypass your validation, where are you at now?

Easily maintainable code and easily readable code is, inherently, more
secure than unmaintainable code and unreadable code.

dw

-- 
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy


More information about the UPHPU mailing list