[UPHPU] receiving with $_REQUEST

Sean sean at lookin3d.com
Thu Feb 28 17:18:23 MST 2008


I agree with you that having standards and practicing them can save you 
from that situation, but I am still not agreeing with you on the fact 
that $_REQUEST is more secure than $_POST or $_GET, because if I write a 
small script for each of them, they will all be just as secure as the next.

The question posted by Wade was weither or not it increases security. 
Not weither or not you'll be less likely to open yourself up for an 
attack because you use $_POST to validate and use $_REQUEST as the 
varible to use in perhaps a query. Which btw I've never seen done :p

Joshua Simpson wrote:
>
>
> On Thu, Feb 28, 2008 at 4:02 PM, Sean <sean at lookin3d.com 
> <mailto:sean at lookin3d.com>> wrote:
>
>     I've already agreed it's the better standard but that doesn't mean
>     it's
>     more secure. In your example if I check $_REQUEST and only that
>     varible
>     than I would be validating the cookie, and using the cookie for input,
>     so if you post the same variable in both cookie and post than
>     depending
>     on your ini settings, (which btw you can disable cookies from being
>     registered in $_REQUEST ;), than your post would be overwritten with
>     your cookie, it's not like you'll validate using $_POST and then use
>     $_REQUEST as the varible.
>
>
> I'm talking about another developer, not an attack.
>
> People don't mean to make their application insecure;  it's through 
> sloppy coding and inconsistent and implicit development.  EXACTLY WHAT 
> $_REQUEST PROMOTES.
>
>
> Apparently, you still don't understand.  Let's take a look at what 
> Shiflett says (as per Richard's link he posted earlier -- thanks Richard!)
>
> Alek writes:
>
> "The whole $_REQUEST being less secure than $_POST argument is bogus."
>
> Shiflett writes:
>
> "No, it's not. You really want to argue that lowering the barrier of 
> entry has no affect? I think you'll be hard-pressed to find anyone who 
> agrees with you. That being said, I explicitly state that POST 
> requests can also be forged."
>
> And he's not even mentioning the fact that implicit assumption of the 
> method used is much worse (in almost any context) than an explicit 
> declaration (although I guess that's assumed from his comment --- 
> AIEEEE, implicitness!).
>
> -- 
> -
> http://stderr.ws/
> "Insert pseudo-insightful quote here." - Some Guy 

-- 

Sean Thayne,
Exit12



More information about the UPHPU mailing list