[UPHPU] receiving with $_REQUEST

Joshua Simpson std3rr at gmail.com
Thu Feb 28 17:25:53 MST 2008


On Thu, Feb 28, 2008 at 4:18 PM, Sean <sean at lookin3d.com> wrote:

> I agree with you that having standards and practicing them can save you
> from that situation, but I am still not agreeing with you on the fact
> that $_REQUEST is more secure than $_POST or $_GET, because if I write a
> small script for each of them, they will all be just as secure as the
> next.
>

Security isn't necessarily about fixing just the apparent holes in your
application;  it has to do with a lot more than that.  It has to do with
your design and security paradigm, which, when you use $_REQUEST, is
flawed.  If you use the underlying protocol inappropriately (HTTP and it's
methods), you're introducing a whole new set of problems.

I've said that using $_REQUEST isn't a security hole per se;  what I'm
saying is that by introducing $_REQUEST, you're introducing yet another
possibility of unexpected bugs.  Unexpected bugs can lead to security holes.


> The question posted by Wade was weither or not it increases security.
> Not weither or not you'll be less likely to open yourself up for an
> attack because you use $_POST to validate and use $_REQUEST as the
> varible to use in perhaps a query. Which btw I've never seen done :p
>

And if you read my original response, you'll see the point I was trying to
make.

If people (especially a whole slew of PHP developers) had a proper security
practice and design approach in place from the start, you wouldn't see
nearly as many unexpected security holes in their application's.  THAT is my
argument.  And that by subverting the HTTP protocol by treating GET and POST
requests the same, you're just plain dumb.  Being dumb leads to security
problems too.

-- 
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy


More information about the UPHPU mailing list