Op 2/24/10 11:18 AM, Ashley Sheridan schreef:
> On Wed, 2010-02-24 at 07:55 +, Jochem Maas wrote:
>
>> Op 2/22/10 10:49 PM, John Black schreef:
>>> On 02/22/2010 11:42 PM, Michael Shadle wrote:
The difference here is you can at least have some control over the data
and expect it in a
On Wed, 2010-02-24 at 12:34 +0100, Rene Veerman wrote:
> sry i gotta disagree.
>
> a function that queries $_POST/$_GET first and then $_COOKIE seems
> much wiser to me.
> it consolidates all logic in the script, and making that logic obvious
> by syntax, rather than relying on functionality bein
sry i gotta disagree.
a function that queries $_POST/$_GET first and then $_COOKIE seems
much wiser to me.
it consolidates all logic in the script, and making that logic obvious
by syntax, rather than relying on functionality being determined by
php.ini, which could well cause a new developer to l
On Wed, 2010-02-24 at 07:55 +, Jochem Maas wrote:
> Op 2/22/10 10:49 PM, John Black schreef:
> > On 02/22/2010 11:42 PM, Michael Shadle wrote:
> >> The difference here is you can at least have some control over the data
> >> and expect it in a certain fashion. Also the behavior of cookies vs.
Op 2/22/10 10:49 PM, John Black schreef:
> On 02/22/2010 11:42 PM, Michael Shadle wrote:
>> The difference here is you can at least have some control over the data
>> and expect it in a certain fashion. Also the behavior of cookies vs. get
>> vs. post are different (cookies have length and expirati
Op 2/23/10 10:27 AM, Ashley Sheridan schreef:
> On Tue, 2010-02-23 at 09:19 +, Richard wrote:
>
>> Hi,
>>
>> Well people better than me (how is that possible?!) have said that
>> $_REQUEST has the potential to open your app up to security
>> vulnerabilities, and that it should be avoided becau
At 11:07 PM +0100 2/22/10, John Black wrote:
On 02/22/2010 10:37 PM, Michael Shadle wrote:
On Mon, Feb 22, 2010 at 1:30 PM, David
Murphy wrote:
Richard,
The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST,
they should ALL be treats as bad data until normalized and sanitized
From: Rene Veerman [mailto:rene7...@gmail.com]
> On Mon, Feb 22, 2010 at 9:39 PM, Slack-Moehrle
>>
>> Single quotes is best, correct to prevent sql injection?
>
> sql injection fixing is an evolving art, but you can start by pushing
> all variables that can be changed by end-users going into a da
On Tue, 2010-02-23 at 09:19 +, Richard wrote:
> Hi,
>
> Well people better than me (how is that possible?!) have said that
> $_REQUEST has the potential to open your app up to security
> vulnerabilities, and that it should be avoided because of that. Here's
> a post from Stephan Esser about i
Hi,
Well people better than me (how is that possible?!) have said that
$_REQUEST has the potential to open your app up to security
vulnerabilities, and that it should be avoided because of that. Here's
a post from Stephan Esser about it on the PHP-Internals list:
http://www.mail-archive.com/inter
On Mon, 2010-02-22 at 23:49 +0100, John Black wrote:
> On 02/22/2010 11:42 PM, Michael Shadle wrote:
> > The difference here is you can at least have some control over the data
> > and expect it in a certain fashion. Also the behavior of cookies vs. get
> > vs. post are different (cookies have len
On 02/22/2010 11:42 PM, Michael Shadle wrote:
The difference here is you can at least have some control over the data
and expect it in a certain fashion. Also the behavior of cookies vs. get
vs. post are different (cookies have length and expiration limits, get
has length limits, post has server
Op 2/22/10 8:39 PM, Slack-Moehrle schreef:
> Hi All,
>
> I have Forms that I submit for processing. I have seen examples of people
> using either $_POST or $_REQUEST.
>
> When would I choose one over the other?
use $_POST, $_REQUEST is normally an amalgam of GET, POST and COOKIE - as such
usin
The difference here is you can at least have some control over the
data and expect it in a certain fashion. Also the behavior of cookies
vs. get vs. post are different (cookies have length and expiration
limits, get has length limits, post has server confgured limits)
Like I said a properly
On Mon, Feb 22, 2010 at 22:37, Michael Shadle wrote:
> On Mon, Feb 22, 2010 at 1:30 PM, David Murphy wrote:
>> Richard,
>>
>>
>> The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST,
>> they should ALL be treats as bad data until normalized and sanitized. The
>> claim that it
On 02/22/2010 11:17 PM, Michael Shadle wrote:
"Secure" might be the wrong term here. As you can easily change GET to
POST and vice-versa and send any cookies you like, this is why I tried
to revise my statement and quantify it better... in a properly coded
app it doesn't present much issue. Howev
On Mon, Feb 22, 2010 at 5:02 PM, Slack-Moehrle
wrote:
> John,
>
>>>Then if you use a MySQL database you would escape the string like this
>>>$tmp = mysql_real_escape_string($_REQUEST['yyy']);
>
>
>>>mysql_real_escape_string() protect from SQL injection by escaping your
>>>string according to what
On Mon, Feb 22, 2010 at 2:07 PM, John Black
wrote:
> And how is this more secure? I can create a cookie, send post or get on my
> client machine and send anything I want to the server. Just because you are
> getting a cookie does not mean that you created it :)
>
> So you might as well use reques
On 02/22/2010 10:37 PM, Michael Shadle wrote:
On Mon, Feb 22, 2010 at 1:30 PM, David Murphy wrote:
Richard,
The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST,
they should ALL be treats as bad data until normalized and sanitized. The
claim that it opens a security hole is
John,
>>Then if you use a MySQL database you would escape the string like this
>>$tmp = mysql_real_escape_string($_REQUEST['yyy']);
>>mysql_real_escape_string() protect from SQL injection by escaping your
>>string according to what your charset requires.
Good point, I should be doing that. But
On Mon, Feb 22, 2010 at 1:30 PM, David Murphy wrote:
> Richard,
>
>
> The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST,
> they should ALL be treats as bad data until normalized and sanitized. The
> claim that it opens a security hole is just false, that’s like saying PHP
$_REQUEST.
David Murphy
-Original Message-
From: richard.he...@gmail.com [mailto:richard.he...@gmail.com] On Behalf Of
Richard
Sent: Monday, February 22, 2010 3:03 PM
To: Joseph Thayne
Cc: Slack-Moehrle; php-general
Subject: Re: [PHP] $_POST vs $_REQUEST
Hi,
> I am not sure what
On Mon, Feb 22, 2010 at 12:55 PM, Joseph Thayne wrote:
> I am not sure what the security issues are you are referring to as the
> $_REQUEST superglobal contains both $_GET and $_POST values. Could you
> expound on that? Thanks.
$_REQUEST opens you up to POST/GET values overriding cookie values
> I have Forms that I submit for processing. I have seen examples of people
> using either $_POST or $_REQUEST.
>
Look at this example:
Now what do you thing $_REQUEST will return? You had better not even
think. Just use $_POST or $_GET as you _know_ what they will return.
Don't forget, the
Hi Slack-Moehrle
Slack-Moehrle wrote on 22/02/2010 21:39:
Hi All,
I have Forms that I submit for processing. I have seen examples of people using
either $_POST or $_REQUEST.
When would I choose one over the other?
$_REQUEST['test'] is true on both $_GET['test'] and $_POST['test']
I use it
Hi,
> I am not sure what the security issues are you are referring to as the
> $_REQUEST superglobal contains both $_GET and $_POST values. Could you
> expound on that? Thanks.
Not really, do a search.
--
Richard Heyes
HTML5 canvas graphing: RGraph - http://www.rgraph.net (updated 20th Februa
> i'd expect without quotes to query a define('j_orderValue','??')..
oh, and that, if not defined, defaults to the string 'j_orderValue'.
So while your $_POST[] with or without quotes will "do the same", use
single-quotes anyway because it's "the right thing to do" ;)
--
PHP General Mailing List
On 02/22/2010 09:39 PM, Slack-Moehrle wrote:
Hi All,
I have Forms that I submit for processing. I have seen examples of people using
either $_POST or $_REQUEST.
When would I choose one over the other?
When you don't care how you get the data use $_REQUEST.
$_REQUEST will contain $_GET,$_POST,$
On Mon, Feb 22, 2010 at 9:39 PM, Slack-Moehrle
wrote:
> Hi All,
>
> I have Forms that I submit for processing. I have seen examples of people
> using either $_POST or $_REQUEST.
>
> When would I choose one over the other?
I like to be specific and go for $_POST, but some people want
flexibility
Richard wrote:
It's a wise choice to go with $_POST, unless your form is a GET form,
in which case use $_GET. $_REQUEST has the potential to open your
script(s) up to security issues.
I am not sure what the security issues are you are referring to as the
$_REQUEST superglobal contains both
On Tue, Feb 23, 2010 at 2:39 AM, Slack-Moehrle
wrote:
> Hi All,
>
> I have Forms that I submit for processing. I have seen examples of people
> using either $_POST or $_REQUEST.
>
> When would I choose one over the other?
>
> Also, I see examples of these being used with and without the single qu
Hi,
> I have Forms that I submit for processing. I have seen examples of people
> using either $_POST or $_REQUEST.
>
> When would I choose one over the other?
It's a wise choice to go with $_POST, unless your form is a GET form,
in which case use $_GET. $_REQUEST has the potential to open your
Hi All,
I have Forms that I submit for processing. I have seen examples of people using
either $_POST or $_REQUEST.
When would I choose one over the other?
Also, I see examples of these being used with and without the single quotes
Like:
$_POST[j_orderValue]
or
$_POST['j_orderValue']
Single
33 matches
Mail list logo
