temidayo wrote:Do you have a live example of how using $_REQUEST has
resulted in an exploit or security breach?
Let's say that you have established a web hosting business at yourhost.com. You use the following code in your hosting ACP:
Code: Select all
if (isset($_REQUEST['delete_client']))
... deletes the client ...
Your ACP (Admin Control Panel) is fully secured and all sorts of data filtering is applied as well. So, what's the problem? Now, imagine your client at hacker.yourhost.com sets a cookie:
Code: Select all
setcookie('delete_client','...',time()+3600*24*365,'/','.yourhost.com');
Now when you as an admin visit the website hacker.yourhost.com, the above cookie will be generated for you. Now, when you next time visit your ACP page, the specified client will be deleted without any action from you.
Now, there are ways to prevent that from happening, e.g. using tokens, but as you can see it involves risks as you do not implicitly ask for a specific type of a method and I can guarantee you, there are many ways of exploiting the use of $_REQUEST in a way the coder did not expect.
Using $_REQUEST opens many doors, and you really have to have a decent knowledge on security. There is very rarely a need to use $_REQUEST, so do not use it.