On Mon, February 12, 2007 8:41 pm, J R wrote:
> it is not adviced to do filtering on _REQUEST getting data in general
> from
> it actually. It is much better to specify where your data is coming
> from (
> e.g. _POST or _GET). This is because variable _REQUST contains all the
> data
> from the cookies, get and post. and if ever you have the same variable
> name
> on two or more of those variable you might get the wrong one.
>
> and as we all know there is a security risk with cookies. users can
> easily
> replace you data for example in post using cookies.

Or they could replace all the POST data using POST...

A Bad Guy would have to be incredibly naive, unskilled, and downright
dumb to be caught by your script differentiating between
GET/POST/COOKIE as the source of the data.

Spoofing a POST is a matter of saving the HTML locally and filling in
whatever you want for extra INPUT and the values you like.

If you intentionally have 2 (or more) inputs to your script of the
same name, one each from GET/POST/COOKIE, I'd have to say that's a
pretty confusing design from the get-go.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to