--- Ben Edwards <[EMAIL PROTECTED]> wrote: > what I don't understand is if $_GET is being used people can just > change the URL anyway so why is it an issue?
It is only an issue in the sense that it hides the origin of data. An attacker can leverage this fact to exploit weaknesses in your application. When a developer uses $_GET['foo'] in his/her code, it is more obvious that the data is tainted than if the developer uses $foo, which could be tainted or could be filtered. It also keeps client data from crossing over, and distinguishing between POST data and GET data can be crucial in defending against attacks such as Cross-Site Request Forgeries (CSRF). Hope that helps. Chris ===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php