Page 1 of 1
using $_REQUEST and POST question
Posted: Wed Jan 14, 2009 3:15 pm
by ianhull
Hi all,
Can anyone tell me which one is proccessed first when using $_REQUEST, is it $_POST or $_GET
Im concerned that people may be able to manipulate the address bar in my application.
I am using:
Code: Select all
foreach ($_REQUEST as $array_key => $array_value){
$$array_key = mysql_real_escape_string($array_value);
};//end foreach
Any help or info on this is greatly appreciated.
Re: using $_REQUEST and POST question
Posted: Wed Jan 14, 2009 3:19 pm
by jaoudestudios
Simple answer...dont use REQUEST!
Use GET or POST, just NOT REQUEST.
Re: using $_REQUEST and POST question
Posted: Wed Jan 14, 2009 3:43 pm
by VladSun
jaoudestudios wrote:Simple answer...dont use REQUEST!
Use GET or POST, just NOT REQUEST.
Why

That's why :
viewtopic.php?f=1&t=89534&hilit=+request+get+post
Re: using $_REQUEST and POST question
Posted: Wed Jan 14, 2009 3:52 pm
by jaoudestudios
I appreciate it is not much of a security risk if any, but I dislike ambiguity.

Re: using $_REQUEST and POST question
Posted: Wed Jan 14, 2009 3:56 pm
by VladSun
jaoudestudios wrote:I appreciate it is not much of a security risk if any, but I dislike ambiguity.

Did you read the article mentioned there:
http://shiflett.org/articles/cross-site ... -forgeries
Re: using $_REQUEST and POST question
Posted: Thu Jan 15, 2009 1:50 am
by jaoudestudios
No, I only briefly read the thread as I did not have time, I will read it properly this morning.
Re: using $_REQUEST and POST question
Posted: Thu Jan 15, 2009 2:28 am
by jaoudestudios
These are the points that stood out for me...
Andre D wrote:...So avoiding $_REQUEST doesn't necessarily make your site more secure, but by explicitly checking for data in the appropriate $_POST and $_GET arrays, you can be more confident that your visitors are using your web application within the operating parameters that you define.
Chris Shiflett wrote:...Using $_REQUEST unnecessarily increases your risk...
Chris Shiflett wrote:...convenience typically increases risk...
Also mentioned in Chris Shiflett's article was to use a hidden form field with a random token to help prevent against CSRF attacks and give this token an expiry time - great idea!
So I still stand by what I said, I dont recommend using REQUESTs it is sloppy!

Re: using $_REQUEST and POST question
Posted: Thu Jan 15, 2009 2:42 am
by papa
The myspace hack was really interesting to read.

Re: using $_REQUEST and POST question
Posted: Thu Jan 15, 2009 2:43 am
by VladSun
jaoudestudios wrote:So I still stand by what I said, I dont recommend using REQUESTs it is sloppy!

That's my opinion too. I changed my mind after reading this article

Re: using $_REQUEST and POST question
Posted: Thu Jan 15, 2009 3:14 am
by jaoudestudios
VladSun wrote:jaoudestudios wrote:So I still stand by what I said, I dont recommend using REQUESTs it is sloppy!

That's my opinion too. I changed my mind after reading this article


Glad you're converted
