On Wed, September 14, 2005 4:03 pm, Ben wrote:
>>>using $_REQUEST you'll be oblivious. You ought to know where your
>>>variable values are coming from, $_REQUEST hides this.
I think I must object to saying "$_REQUEST" hides this.
$_REQUEST tells you it came from POST or GET (or COOKIE)
Anyway,
Dan Baker wrote:
"Ben" <[EMAIL PROTECTED]> wrote in message
[snip]
Interesting, but I think I wouldn't spend the extra code to detect if I was
expecting a POST, but got a GET. If I didn't get the value from POST, I'd
just assume it wasn't there -- I wouldn't go looking elsewhere for it, and
Dan Baker wrote:
On the one hand, you can't trust anything that came from the client, but
on the other if you're expecting a variable to come from a cookie and
instead it comes from a get you know something weird is going on, but
using $_REQUEST you'll be oblivious. You ought to know where yo
"Ben" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Dan Baker wrote:
>
>> Why is using $_REQUEST a security issue? You know every value in the
>> entire array came from the end-user, and needs to be validated somehow.
>> If your code is written so the end-user can send this data
4 matches
Mail list logo
