PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I have another simple PHP problem that unfortunately has got me stumped.
I have a form that a user submits and if the user does not select a selection from one of the drop down menus I wnat ti to say on the next page "You have not slelected an answer".
The "fuel" box on the form has a value of "0" if the user does not select an answer.
Anyway, I have done the below that I thought should work but unfortunately it does not. Can anyone help please?!
A single = assigns a value.
== and === are for comparison.
To avoid such problems write the literal on the left side. Since you cannot assign a value to a literal the parser will throw an error if you forget a =
onion2k wrote:Never use $_REQUEST. It's a security risk.
What's the security risk in using $_REQUEST?
You're using data from an 'unknown' source, it might be GET, it might be POST. You should explicitly take data only from where you expect it to come from, eg $_GET or $_POST. If the data could come from either you should choose which takes precedence in the source, eg
volka wrote:But even if you see that as a problem (which in the majority of cases I do not) that's not a security risk per se.
It is. Imagine you've got a form that POSTs data back to the server. If you're using $_REQUEST and someone adds ?id=1 to the URL then your script will use that rather than the POST'ed version if you order precedence puts GET above POST. That is a security risk.
Returns FALSE if var has a non-empty and non-zero value.
The following things are considered to be empty:
"" (an empty string)
0 (0 as an integer)
"0" (0 as a string) NULL FALSE
array() (an empty array)
var $var; (a variable declared, but without a value in a class)
volka wrote:But even if you see that as a problem (which in the majority of cases I do not) that's not a security risk per se.
It is. Imagine you've got a form that POSTs data back to the server. If you're using $_REQUEST and someone adds ?id=1 to the URL then your script will use that rather than the POST'ed version if you order precedence puts GET above POST. That is a security risk.
I don't see it. It's both user input. I have to test and check it both the same way. What harm can it do to my application's or server's security?
It may be that I don't want the user to be able to replace post data by get data. But that's no matter of security.
You guys are off topic but your both right. Although in and of itself using $_REQUEST may not be a security risk, it can lead to security risks. Notably $_GET data can end up performing actions which should only be done via $_POST data.
astions wrote:Although in and of itself using $_REQUEST may not be a security risk, it can lead to security risks. Notably $_GET data can end up performing actions which should only be done via $_POST data.
No. POST data is not a bit more secure than GET data. And neither are cookies. All user input, all not to trust. There are reasons why you might not want to use _REQUEST, but security is not one of them.
When you use $_GET data to perform actions, such as deleting a record, this is the security risk. You cannot know that the data is coming from the currently logged in user. It could be coming from another website that the currently logged in user is viewing.