$_REQUEST provides an opportunity of some degree for a hack and/or an attack against a script or application.
Worst case secenario is the you as new programmer on a complex legacy application that incorporates $_REQUEST has actually taken over a script product that has willful backdoor hacks integrated into the programming, such as that deep in some large class object or buried in a benign PHP include file there could plausably be functionality that is expecting and operating on variables that can at anytime be forced into the script logic stream by simply adding them to the URL GET or POST data. The above noted is clearly a very bad worst case, but has a higher probability of occurring that you might first consider becasue statistically more black hat attacks and breakins occur from inside people inside the company rather that external attackers. Now if you employ sanitizing techniques on all your variables that not only cleans up the expected varibales but additionally proactively destroys or denies all other unexpected variables than you might be Okay. For example, in my last sanitizing scheme, I maintained a white list array of expected variable names and all REQUEST data was first compared against the white list before it was operated on. All other variable names not on the white list were not only ignored but explicitly destroyed. Additionally, in a script when I was expecting POST data, I explicitly destroyed the GET data. The additional rub of dealing with GET, POST and COOKIE data with the same variable names is also a potential downside that might not affect you but might trip up a future programmer who works on your code later. I think the case against using $_REQUEST is fairly solid and if an existing script is allowing other users and applications from anywhere in the world to essentially submit any kind of variables by any method they please, then we might have a 'situation' of some sort on our hands that likely needs careful review and re-review. Warmest regards, Peter Sawczynec Technology Dir. Sun-code Interactive Sun-code.com 646.316.3678 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian D. Sent: Friday, October 12, 2007 1:00 PM To: NYPHP Talk Subject: [nyphp-talk] $_REQUEST: Bad Form? I can't find where I read it originally, but somewhere I've been told or read that "using $_REQUEST is bad form." I understand that in cases where you want to force a $_POST request, but if you might receive $_GET or $_POST then isn't is better than doing if/elses? The only related thing I could find on Google was this guy ( http://mypetprogrammer.com/blog/?p=15 ) but he seems to erroneously believe that using $_POST somehow saves you from a SQL injection attack. I'm also thinking that some servers don't use the $_REQUEST array. Can you define why it's bad form? When is it considered acceptable to use? Thanks! - B. _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
