REQUEST vS GET/POST/COOKIE & security risk

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
itp
Forum Commoner
Posts: 67
Joined: Fri Jun 15, 2007 6:50 am

REQUEST vS GET/POST/COOKIE & security risk

Post by itp »

A colleague told me that a $_REQUEST[] to pick up CGI variables passed into a php program is somehow less secure than using the appropriate $_GET/POST/COOKIE. I like to use $_REQUEST because I can test code with get and then deploy using post without having to change PHP code before I deploy.

$_COOKIE['var']
$_GET['var']
$_POST['var']
$_REQUEST['var']
Also why would I want to set a non-existant variable to blanks as in the structure below?
What risk is being mitigated here?

$myvar = (empty($_REQUEST['var'])) ? "" : $_REQUEST['var'];
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: REQUEST vS GET/POST/COOKIE & security risk

Post by pickle »

What happens if someone submits a $_GET variable, say "session_id" when a $_POST variable named "session_id" already exists? I'm not sure, but if there's any chance of it overriding, that's a security issue. Of course, $_POST can be spoofed too, but there's a fewer people that know how to do that, then know how to put another variable in the URL.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: REQUEST vS GET/POST/COOKIE & security risk

Post by jmut »

Well there is certainly no security risk. I'd say learning to spoof post and not just get takes 30min max. Just copy/paste curl example and you're in business. So if you validate/sanitazi all your input data have nothing to worry about.
There is something else though...principal that it's good GET requests to only retrieve data while post to be write/manipulate data. So in this aspect maybe not very nice to have &submit=1 on url and this modify content. Generally people when bookmaring stuff expect stuff to be retrieved only and not have direct impact on data.
So bottom line I'd say you should use post in the forms and check if !empty($_POST)...process...then can use $_REQUEST all the way.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: REQUEST vS GET/POST/COOKIE & security risk

Post by requinix »

Second mistake. Looks like REQUEST only contains GET, POST, and COOKIE. I mention SESSION and that's irrelevant now, but the point still stands: stuff gets overwritten.

Like pickle mentioned, one thing about REQUEST is that values get overwritten if defined in more than one place. By default, SESSION overwrites COOKIE overwrites POST overwrites GET overwrites ENV: look at your variables_order INI setting to see what the order is for you (default being EGPCS: ENV first, SESSION last).

Let's say you have a user login system, and like most people you store the username in $_SESSION[username]. Now let's say they want to send a PM to somebody and your form has

Code: Select all

User: <input type="text" name="username" />
If you use REQUEST they'll always PM themselves because SESSION overwrites POST information.

IMO I agree with jmut: it's not really a security problem per se as it is a way of screwing up stuff. Security holes mostly come from mishandling user-supplied information - doesn't really matter where it comes from.
Last edited by requinix on Thu Oct 16, 2008 7:14 pm, edited 1 time in total.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: REQUEST vS GET/POST/COOKIE & security risk

Post by VladSun »

http://bg.php.net/manual/en/reserved.va ... equest.php
$_REQUEST — HTTP Request variables
Description

An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE.
I don't see $_SESSION here ...
It's (or it was in PHP 5- ?!?) "EGPCS" - i.e. "ENV, GET, POST, COOKIE, SERVER".

I don't think that using $_REQUEST introduces any security risks - it's all user input and it should be treated as so ;)
The only issue I have ever experienced was the overwriting of $_COOKIE array - that's why I always use "C_" prefix for cookie stored values.

Also, I don't think one should put a request method based validation logic into his code - it's all the same.
There are 10 types of people in this world, those who understand binary and those who don't
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Re: REQUEST vS GET/POST/COOKIE & security risk

Post by André D »

It's an ideology thing. $_REQUEST alone doesn't make your application less secure, but it might make it more likely that an attacker will find a security hole that exists somewhere else in your application.

If what you're doing with the variables is idempotent, then using $_REQUEST is perfectly fine. On the other hand, if you have a form that transmits important data for you to update in a database, and the form's method is always POST, it is a good practice to make sure that the page that processes the form confirms that the variables were transmitted via POST instead of GET. Because if a form's method is POST, but the data came in with GET, there's a pretty good chance that something "funny" is going on.

Something like that might happen if someone is trying to execute a CSRF attack, and a careful programmer will no doubt have a proper CSRF defense mechanism in place (right?), making the attack unsuccessful no matter what superglobal you use to retrieve the values.

So avoiding $_REQUEST doesn't necessarily make your site more secure, but by explicitly checking for data in the appropriate $_POST and $_GET arrays, you can be more confident that your visitors are using your web application within the operating parameters that you define.

In other words, even if I have all the real safeguards in place (CSRF protection, input validation, etc.) I still don't want people sending data in the query string (GET) if I designed it to send that data via POST variables.

For more reading, consider what Chris Shiflett has to say:
http://shiflett.org/articles/ideology
http://shiflett.org/articles/cross-site ... -forgeries
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: REQUEST vS GET/POST/COOKIE & security risk

Post by Stryks »

Very nice links there André D.

Sums up my thoughts on the issue - and then some.
Post Reply