using $_REQUEST and POST question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ianhull
Forum Contributor
Posts: 310
Joined: Tue Jun 14, 2005 10:04 am
Location: Hull England UK

using $_REQUEST and POST question

Post by ianhull »

Hi all,

Can anyone tell me which one is proccessed first when using $_REQUEST, is it $_POST or $_GET

Im concerned that people may be able to manipulate the address bar in my application.

I am using:

Code: Select all

 
 
foreach ($_REQUEST as $array_key => $array_value){
        
        $$array_key = mysql_real_escape_string($array_value);
        
    };//end foreach
 
 
Any help or info on this is greatly appreciated.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: using $_REQUEST and POST question

Post by jaoudestudios »

Simple answer...dont use REQUEST! :)

Use GET or POST, just NOT REQUEST.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: using $_REQUEST and POST question

Post by VladSun »

jaoudestudios wrote:Simple answer...dont use REQUEST! :)

Use GET or POST, just NOT REQUEST.
Why ;)
That's why :
viewtopic.php?f=1&t=89534&hilit=+request+get+post
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: using $_REQUEST and POST question

Post by jaoudestudios »

I appreciate it is not much of a security risk if any, but I dislike ambiguity. :)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: using $_REQUEST and POST question

Post by VladSun »

jaoudestudios wrote:I appreciate it is not much of a security risk if any, but I dislike ambiguity. :)
Did you read the article mentioned there:
http://shiflett.org/articles/cross-site ... -forgeries
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: using $_REQUEST and POST question

Post by jaoudestudios »

VladSun wrote:
jaoudestudios wrote:I appreciate it is not much of a security risk if any, but I dislike ambiguity. :)
Did you read the article mentioned there:
http://shiflett.org/articles/cross-site ... -forgeries
No, I only briefly read the thread as I did not have time, I will read it properly this morning.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: using $_REQUEST and POST question

Post by jaoudestudios »

These are the points that stood out for me...
Andre D wrote:...So avoiding $_REQUEST doesn't necessarily make your site more secure, but by explicitly checking for data in the appropriate $_POST and $_GET arrays, you can be more confident that your visitors are using your web application within the operating parameters that you define.
Chris Shiflett wrote:...Using $_REQUEST unnecessarily increases your risk...
Chris Shiflett wrote:...convenience typically increases risk...
Also mentioned in Chris Shiflett's article was to use a hidden form field with a random token to help prevent against CSRF attacks and give this token an expiry time - great idea!

So I still stand by what I said, I dont recommend using REQUESTs it is sloppy! :)
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: using $_REQUEST and POST question

Post by papa »

VladSun wrote:
jaoudestudios wrote:I appreciate it is not much of a security risk if any, but I dislike ambiguity. :)
Did you read the article mentioned there:
http://shiflett.org/articles/cross-site ... -forgeries
The myspace hack was really interesting to read. :D
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: using $_REQUEST and POST question

Post by VladSun »

jaoudestudios wrote:So I still stand by what I said, I dont recommend using REQUESTs it is sloppy! :)
That's my opinion too. I changed my mind after reading this article ;)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: using $_REQUEST and POST question

Post by jaoudestudios »

VladSun wrote:
jaoudestudios wrote:So I still stand by what I said, I dont recommend using REQUESTs it is sloppy! :)
That's my opinion too. I changed my mind after reading this article ;)
:D Glad you're converted :drunk:
Post Reply