[UPHPU] receiving with $_REQUEST

Sean sean at lookin3d.com
Thu Feb 28 17:02:04 MST 2008


I've already agreed it's the better standard but that doesn't mean it's 
more secure. In your example if I check $_REQUEST and only that varible 
than I would be validating the cookie, and using the cookie for input, 
so if you post the same variable in both cookie and post than depending 
on your ini settings, (which btw you can disable cookies from being 
registered in $_REQUEST ;), than your post would be overwritten with 
your cookie, it's not like you'll validate using $_POST and then use 
$_REQUEST as the varible.

Your example is very flawed.

Joshua Simpson wrote:
>
>
> On Thu, Feb 28, 2008 at 3:14 PM, Sean <sean at lookin3d.com 
> <mailto:sean at lookin3d.com>> wrote:
>
>     Joshua,
>
>        Simply by saying that it's more secure because it's more
>     standardized and better code design, doesn't make it more secure,
>     if you
>     can be hacked with request, you can be hacked by post and get too.
>     Standards in this case adds no more security than using tabs in your
>     code versus spaces. I do agree that it's the better practice overall,
>     but that doesn't mean it's more secure, just better written.
>
>
> You need to dive into security more, then, because better written code 
> is almost always more secure.  It's easier to maintain;  and problems 
> with maintaining code are one of the biggest reasons web applications 
> get broken into.
>
> Let's take my overwriting the cookie example.  If you're doing 
> operations where you're cleansing the $_REQUEST code, and I can 
> override $_REQUEST with a cookie setting and bypass your validation, 
> where are you at now?
>
> Easily maintainable code and easily readable code is, inherently, more 
> secure than unmaintainable code and unreadable code.
>
> dw
>
> -- 
> -
> http://stderr.ws/
> "Insert pseudo-insightful quote here." - Some Guy 

-- 

Sean Thayne,
Exit12



More information about the UPHPU mailing list