Hello,
on 06/23/2006 09:46 AM John Nichel said the following:
>>> I come from languages
>>> where
>>> you not only have to initialize a variable but have to declare it as
>>> well so
>>> initializing comes natural, I feel wrong if I don't do it, even if the
>>> interpreter does not care.
>>
>> Jus
Richard Lynch wrote:
On Tue, June 20, 2006 2:38 am, Satyam wrote:
I come from languages
where
you not only have to initialize a variable but have to declare it as
well so
initializing comes natural, I feel wrong if I don't do it, even if the
interpreter does not care.
Just to be pedantic...
T
On Tue, June 20, 2006 2:38 am, Satyam wrote:
> I come from languages
> where
> you not only have to initialize a variable but have to declare it as
> well so
> initializing comes natural, I feel wrong if I don't do it, even if the
> interpreter does not care.
Just to be pedantic...
The interprete
- Original Message -
From: "Richard Lynch" <[EMAIL PROTECTED]>
On Sun, June 18, 2006 2:19 am, Satyam wrote:
- Original Message -
From: "Rory Browne" <[EMAIL PROTECTED]>
Good code won't be vulnerable to register_globals either, but having
register_globals on is a security probl
On Sun, June 18, 2006 2:19 am, Satyam wrote:
> - Original Message -
> From: "Rory Browne" <[EMAIL PROTECTED]>
>
>>
>> Good code won't be vulnerable to register_globals either, but having
>> register_globals on is a security problem because there are security
>> flaws
>> that can only be exp
On Sat, June 17, 2006 1:25 pm, Ben Ramsey wrote:
> Using $_REQUEST is similar to using register_globals. You simply
> cannot
> trust the origin of the data. It's possible that a variable by the
> name
> of "foo" exists as a cookie, POST value, and GET value. If you use
> $_REQUEST, you cannot be as
- Original Message -
From: "Manuel Lemos" <[EMAIL PROTECTED]>
To: "PHP List"
Sent: Sunday, June 18, 2006 10:12 AM
Subject: Re: [PHP] GET, POST, REQUEST
Hello,
on 06/18/2006 04:19 AM Satyam said the following:
Good code won't be vulnerable to regi
Hello,
on 06/18/2006 04:19 AM Satyam said the following:
>> Good code won't be vulnerable to register_globals either, but having
>> register_globals on is a security problem because there are security
>> flaws
>> that can only be exploited when register_globals is enabled.
>>
>
> Actually, code q
Hi,
Sunday, June 18, 2006, 5:19:20 PM, you wrote:
S> - Original Message -
S> From: "Rory Browne" <[EMAIL PROTECTED]>
>>
>> Good code won't be vulnerable to register_globals either, but having
>> register_globals on is a security problem because there are security flaws
>> that can only b
- Original Message -
From: "Rory Browne" <[EMAIL PROTECTED]>
Good code won't be vulnerable to register_globals either, but having
register_globals on is a security problem because there are security flaws
that can only be exploited when register_globals is enabled.
Actually, code qu
I don't think that using request over post adds anything in the way of
security, at the most it's going to delay an attacker for up to a
minute. I advocate using request if it's convenient, it can also open a
few nice tricks for advanced users. Using request allows me to bookmark
a login page, so
Hello,
on 06/17/2006 08:35 PM Rory Browne said the following:
>> So, a secure application always has to validate values from client side
>> originated variables, independently if the values were retrieved from
>> $_GET, $_POST, $_COOKIE or $_REQUEST .
>
>
> You should always validate ALL externa
So, a secure application always has to validate values from client side
originated variables, independently if the values were retrieved from
$_GET, $_POST, $_COOKIE or $_REQUEST .
You should always validate ALL external variables.
As for server side originated variables, these do not need to
On 6/18/06, Ben Ramsey <[EMAIL PROTECTED]> wrote:
On 6/17/06 5:34 PM, Satyam wrote:
> Your application might require that flexibility or accepting data via
> POST or GET, in which case, it is just fine. Contrary to another post
> I've read, there is nothing good of register_globals, that is wh
on 06/17/2006 07:10 PM Ben Ramsey said the following:
> On 6/17/06 5:34 PM, Satyam wrote:
>> Your application might require that flexibility or accepting data via
>> POST or GET, in which case, it is just fine. Contrary to another
>> post I've read, there is nothing good of register_globals, that
On 6/17/06 5:34 PM, Satyam wrote:
Your application might require that flexibility or accepting data via
POST or GET, in which case, it is just fine. Contrary to another post
I've read, there is nothing good of register_globals, that is why it is
now defaulted to off and kept for compatibility
On 6/17/06 5:25 PM, Martin Marques wrote:
I know user input shouldn't be trusted. What I want to know is IF and WHY
$_REQUEST should be more untrusted then $_POST or $_GET.
It's untrusted because you know the data comes from a request. It's more
untrusted than GET, POST, or COOKIE because yo
On Sat, 17 Jun 2006 09:55:05 -0400, tedd <[EMAIL PROTECTED]> wrote:
> At 8:52 AM -0300 6/17/06, Martin Marques wrote:
>>Yesterday when reading some doc on PHP I noticed the $_REQUEST predefined
> array, which looked like a solution to having to check in GET and POST data
> (I'm not sure if it will
here is nothing intrinsically wrong with $_REQUEST, it is slightly more
vulnerable than differentiating POSTs from GETs, but it is not the worst you
can do
Satyam
- Original Message -
From: "Martin Marques"
To: "Satyam" <[EMAIL PROTECTED]>
Cc:
Sent: Saturday, June
On Sat, 17 Jun 2006 14:25:30 -0400, Ben Ramsey <[EMAIL PROTECTED]> wrote:
> On 6/17/06 9:30 AM, David Tulloh wrote:
>> Martin Marques wrote:
>>> Yesterday when reading some doc on PHP I noticed the $_REQUEST
>>> predefined array, which looked like a solution to having to check in
> GET
>>> and POS
On Sat, 17 Jun 2006 15:01:23 +0200, "Satyam" <[EMAIL PROTECTED]> wrote:
> In general, user input should never be trusted. Someone once told me that
> if you ask for yes or no, you should always validate for yes, no and don't
> know (of course, this was before windowed environments where the users
On 6/17/06 3:07 PM, Anthony Ettinger wrote:
it's more like painting the color of your front door, but still
leaving it unlocked. It doesn't change the fact that people can still
open the door.
every input field needs to be validated regardless of get vs. post.
the web developer toolbar for firef
it's more like painting the color of your front door, but still
leaving it unlocked. It doesn't change the fact that people can still
open the door.
every input field needs to be validated regardless of get vs. post.
the web developer toolbar for firefox can easily convert all form
fields to one
But it would seem that using $_POST cuts down on the number of possible ways
that something bad could happen, doesn't it? (Someone correct me if I am
wrong, I am by no means a security or PHP expert, though working towards
both :D)
On Saturday 17 June 2006 14:51, Anthony Ettinger wrote:
> simpl
simply using $_POST is by no means more secure than $_REQUEST.
On 6/17/06, Ben Ramsey <[EMAIL PROTECTED]> wrote:
On 6/17/06 9:30 AM, David Tulloh wrote:
> Martin Marques wrote:
>> Yesterday when reading some doc on PHP I noticed the $_REQUEST
>> predefined array, which looked like a solution t
On 6/17/06 9:30 AM, David Tulloh wrote:
Martin Marques wrote:
Yesterday when reading some doc on PHP I noticed the $_REQUEST
predefined array, which looked like a solution to having to check in GET
and POST data (I'm not sure if it will really have an impact on my
program yet).
Yes, request is
Satyam wrote:
In general, user input should never be trusted. Someone once told me
that if you ask for yes or no, you should always validate for yes, no
and don't know (of course, this was before windowed environments where
the users can only click what you offer them).
Users can submit whatev
At 8:52 AM -0300 6/17/06, Martin Marques wrote:
>Yesterday when reading some doc on PHP I noticed the $_REQUEST predefined
>array, which looked like a solution to having to check in GET and POST data
>(I'm not sure if it will really have an impact on my program yet).
>
>The thing is, I also saw t
Martin Marques wrote:
> Yesterday when reading some doc on PHP I noticed the $_REQUEST
> predefined array, which looked like a solution to having to check in GET
> and POST data (I'm not sure if it will really have an impact on my
> program yet).
Yes, request is simply a merge of these arrays. It
c.org/ and I'm sure other list members will supply more.
Satyam
- Original Message -
From: "Martin Marques"
To:
Sent: Saturday, June 17, 2006 1:52 PM
Subject: [PHP] GET, POST, REQUEST
Yesterday when reading some doc on PHP I noticed the $_REQUEST predefined
array, w
Yesterday when reading some doc on PHP I noticed the $_REQUEST predefined
array, which looked like a solution to having to check in GET and POST
data (I'm not sure if it will really have an impact on my program yet).
The thing is, I also saw this description:
Variables provided to the script v
31 matches
Mail list logo