Comments on: Why PHP’s $_REQUEST is dangerous http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/ One developers blog. Tue, 07 Sep 2010 23:08:24 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Christian Sciberras http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-16045 Christian Sciberras Fri, 16 Jul 2010 22:54:16 +0000 http://devlog.info/?p=113#comment-16045 Jeremy did you even read the article? Spyros is wrong, but so are you. The author specifically said that $_REQUEST is only insecure because of $_COOKIE in request_order, which for your information, has been disabled for quite some time. So to sum it up, $_REQUEST, is a very useful feature which is best used with newer versions of PHP. There are no other ulterior "major security risks". Jeremy did you even read the article? Spyros is wrong, but so are you.

The author specifically said that $_REQUEST is only insecure because of $_COOKIE in request_order, which for your information, has been disabled for quite some time.

So to sum it up, $_REQUEST, is a very useful feature which is best used with newer versions of PHP.

There are no other ulterior “major security risks”.

]]> By: Jeremy Simkins http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-14870 Jeremy Simkins Wed, 26 May 2010 16:19:58 +0000 http://devlog.info/?p=113#comment-14870 I make it a point to never use $_REQUEST. Even studying for the ZCE explains that $_REQUEST is a major security risk. Spyros, you are completely wrong. Thanks for the article, very useful information. Let's hope people learn from this... I make it a point to never use $_REQUEST. Even studying for the ZCE explains that $_REQUEST is a major security risk. Spyros, you are completely wrong.

Thanks for the article, very useful information. Let’s hope people learn from this…

]]> By: php mail() validation http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-14524 php mail() validation Wed, 12 May 2010 08:22:43 +0000 http://devlog.info/?p=113#comment-14524 [...] $_COOKIE as usual. I found a nice text explaining why $_REQUEST has a problem, so read for example Why PHP’s $_REQUEST is dangerous - Devlog and see what the problem really is, and how you can avoid the problem. [...] [...] $_COOKIE as usual. I found a nice text explaining why $_REQUEST has a problem, so read for example Why PHP’s $_REQUEST is dangerous – Devlog and see what the problem really is, and how you can avoid the problem. [...]

]]> By: Useful Security Pages | Toby's Development Blog http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-14352 Useful Security Pages | Toby's Development Blog Wed, 05 May 2010 08:43:09 +0000 http://devlog.info/?p=113#comment-14352 [...] Why $_REQUEST is dangerous [...] [...] Why $_REQUEST is dangerous [...]

]]> By: Toby http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-14351 Toby Wed, 05 May 2010 07:42:29 +0000 http://devlog.info/?p=113#comment-14351 Cheers for the explanation, my php.ini was clean but it is a good thing to be looking out for. I have seen a lot of code floating about that would check against $_REQUEST using if(isset($_REQUEST['wibble'])), just calling the script with script.php?wibble=y will trigger this even if it is a $_POST variable that should be being checked. Cheers for the explanation, my php.ini was clean but it is a good thing to be looking out for.

I have seen a lot of code floating about that would check against $_REQUEST using if(isset($_REQUEST['wibble'])), just calling the script with script.php?wibble=y will trigger this even if it is a $_POST variable that should be being checked.

]]> By: Christopher Nadeau http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-14229 Christopher Nadeau Fri, 30 Apr 2010 21:44:54 +0000 http://devlog.info/?p=113#comment-14229 Did you not read the article at all? The fact that cookie data takes *precedence* in $_REQUEST over the others is the dangerous part. Indeed, even if it was last, it would still be dangerous for the simple fact that a specific value would could always be set. No one wants to remove $_REQUEST itself from PHP. Only cookie data should be removed. In PHP 5.3 we have the 'request_order' php.ini setting which has cookies disabled by default: <blockquote><a href="http://php.net/manual/en/ini.core.php#ini.request-order" rel="nofollow">request_order</a> Note that the default distribution php.ini files does not contain the 'C' for cookies, due to security concerns.</blockquote> Did you not read the article at all?

The fact that cookie data takes *precedence* in $_REQUEST over the others is the dangerous part. Indeed, even if it was last, it would still be dangerous for the simple fact that a specific value would could always be set.

No one wants to remove $_REQUEST itself from PHP. Only cookie data should be removed. In PHP 5.3 we have the ‘request_order’ php.ini setting which has cookies disabled by default:

request_order
Note that the default distribution php.ini files does not contain the ‘C’ for cookies, due to security concerns.

]]> By: Spyros http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-14098 Spyros Tue, 27 Apr 2010 17:29:30 +0000 http://devlog.info/?p=113#comment-14098 Well, no.. There is absolutely no security problem with using $_REQUEST. Getting input from cookie is the same as getting input from get or post. If $_REQUEST was indeed a security flaw in PHP, it would have been removed. Well, no..

There is absolutely no security problem with using $_REQUEST. Getting input from cookie is the same as getting input from get or post.

If $_REQUEST was indeed a security flaw in PHP, it would have been removed.

]]>