On Sat, January 5, 2008 2:48 pm, Stefan Esser wrote: > Hello, >>> typing into PHP, even if it is optional. Passing $_REQUEST['age'] >>> to a >>> >> that $_REQUEST['age'] has been checked for numeric before the >> functio > > would you please not use $_REQUEST in any of your examples? $_REQUEST > is > one of the biggest design weaknesses in PHP. Every application using > $_REQUEST is most probably vulnerable to Delayed Cross Site Request > Forgery problems. (This basically means if e.g. a cookie named (age) > exists it will always overwrite the GET/POST content and therefore > unwanted requests will be performed)
Can you explain (or point to a reference) how this is any worse than GET/POST over-writing each other, depending on gpc settings? In other words, if I'm not catching the user over-writing GET with POST or vice versa, then having a forged COOKIE over-write it seems no worse to me. If a web service really doesn't care whether it is responding to GET or POST or even forged COOKIES to product its output, why would it not just use REQUEST? It's not as if it's any harder to forge GET vs. POST vs. COOKIE data, really. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php