On Wed, September 14, 2005 1:57 pm, Dan Baker wrote:
> (snipped)
>> If you're going to use $_REQUEST you might as well just turn on
>> register
>> globals (no, don't!).
More mis-information.
$_REQUEST is simply the array_merge() of $_GET, $_POST, and $_COOKIE.
You either check the contents of an
On Wed, September 14, 2005 2:08 pm, Jim Moseby wrote:
> Suppose you have a form that posts set hidden values. A malicious
> user
> could modify the URI to change those values.
Sure.
Or they could save your HTML on their hard drive, edit it in their
editor of choice (some of which require NO brai
> Suppose you have a form that posts set hidden values. A malicious user
> could modify the URI to change those values.
A malicious user could just as easily modify the http header that sets
the POST, or the cookie that sets the COOKIE, or whatever. In other
words, if it comes from the user, it
Dan Baker wrote:
Why is using $_REQUEST a security issue? You know every value in the entire
array came from the end-user, and needs to be validated somehow. If your
code is written so the end-user can send this data to you via a
POST/GET/COOKIE, why not use $_REQUEST?
On the one hand, you
> (snipped)
> "Ben" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > Gustav Wiberg wrote:
> >> if (isset($_REQUEST["frmUsername"])) {
> >>
> >> $un = $_REQUEST["frmUsername"];
> >
> > If you're going to use $_REQUEST you might as well just
> turn on register
> > globals (no, do
(snipped)
"Ben" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Gustav Wiberg wrote:
>> if (isset($_REQUEST["frmUsername"])) {
>>
>> $un = $_REQUEST["frmUsername"];
>
> If you're going to use $_REQUEST you might as well just turn on register
> globals (no, don't!).
>
> If you're exp
6 matches
Mail list logo
