PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
volka wrote:I don't see it. It's both user input. I have to test and check it both the same way. What harm can it do to my application's or server's security?
It may be that I don't want the user to be able to replace post data by get data. But that's no matter of security.
$_REQUEST can open a lot of programmers up to XSS.
What can't you do to _REQUEST data that you can do to _POST or _GET?
Let me put it this way: I've seen this discussion several times now and I'm still waiting for an example of real security risk that is immanent to _REQUEST.
And what good does it do my script's security to know that it is a post request?
I could e.g. put a form/post on my malicious website instead of a link.
Not with an image tag requesting the remote page. It happens totally without the users knowledge. If your logged into site foo, and you visit malicious site bar, this second site can perform actions on your behalf on site foo through the user of image tag get requests.
What pictures of Shirley Schmidt did Alan Shore actually buy?
See for yourself on
<form method="post" action="http://www.the.Other/Site.php" style="display:inline;">
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="filter" value="*" />
<input style="display:inline; text-decoration:underline; color:blue; background:none; border:none; cursor:pointer;"
type="submit" value="The official Boston Legal page">
</form>