kurt.santo Posted April 6, 2008 Share Posted April 6, 2008 $_REQUEST stores all of the data sent to a php page throught either get, post or data accessible in cookies. I did first assume that then it might be a great idea to use this global variable, then I heard about security issues. I did not understand what the real risk is. Does someone know the reason?Kurt Link to comment Share on other sites More sharing options...
boen_robot Posted April 6, 2008 Share Posted April 6, 2008 The real "risk" is that you're making it easier for attackers to try and hack your code. Normally, they'd need to emulate a POST variable with a tool like Fiddler. When you use $_REQUEST, they can just as easily pass a URL argument, which is far easier to try out.In addition, when you separate the methods, you may eventually try to block POST requests from a certain suspicious user. If you use $_REQUEST, that is irrelevant, as you still allow $_GET and $_COOKIE ones.In addition, forging cookies is also easier.It's all just about making hacking one step easier, even though it's not a security hole by itself. Link to comment Share on other sites More sharing options...
kurt.santo Posted April 7, 2008 Author Share Posted April 7, 2008 The real "risk" is that you're making it easier for attackers to try and hack your code. Normally, they'd need to emulate a POST variable with a tool like Fiddler. When you use $_REQUEST, they can just as easily pass a URL argument, which is far easier to try out.In addition, when you separate the methods, you may eventually try to block POST requests from a certain suspicious user. If you use $_REQUEST, that is irrelevant, as you still allow $_GET and $_COOKIE ones.In addition, forging cookies is also easier.It's all just about making hacking one step easier, even though it's not a security hole by itself.Understood! Thank you for the clarification...Kurt Link to comment Share on other sites More sharing options...
clonetrooper9494 Posted April 9, 2008 Share Posted April 9, 2008 Just wondering, but why did they come out with the var if it has so many cons? Link to comment Share on other sites More sharing options...
Synook Posted April 9, 2008 Share Posted April 9, 2008 Because in some cases the same data may be available either from cookies or from the URL, or from a POST request, and $_REQUEST saves developers the trouble of finding out which. Though, its a bit like register_globals in a way... Link to comment Share on other sites More sharing options...
jeffman Posted April 9, 2008 Share Posted April 9, 2008 The cons only exist if you're a sloppy engineer. There is absolutely no reason why a script couldn't run $_REQUEST through one iterator (instead of the alternative, which is three) and extract all the info necessary to get the job done. The danger comes when you don't really think about your data and just blindly do stuff with it that could get you in trouble--like, say, running an untested POST value through an eval statement, or using a GET value as a password.$_REQUEST values could lead the sloppy engineer into forgetting where the values came from or how they got there, which in turn could lead to bad security. So getting in the habit of using $_POST and $_GET promotes, but doesn't ensure, better security. Just don't be fooled into thinking they ARE better security. Link to comment Share on other sites More sharing options...
boen_robot Posted April 9, 2008 Share Posted April 9, 2008 If you wanted to emulate (or adjust the behaviour of) $_REQUEST for iteration's sake, you could always do: $_REQUEST = $_GET + $_POST + $_COOKIE; Like Synook, I think this is a lot like register_globals. It's not a security issue by itself, but it can very easily be misued. Link to comment Share on other sites More sharing options...
tyweiss Posted April 9, 2008 Share Posted April 9, 2008 I use it a lot when working on big projects and I forget what all is coming into the page. Mostly debugging/building but take it off afterwards, I don't think I've ever used it otherwise. That of course doesn't stop you from using it, although I'd be careful when doing so. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.