Comments on: Why PHP’s $_REQUEST is dangerous http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/ One developers blog. Fri, 03 Feb 2012 16:12:21 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: James http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-68989 James Wed, 12 Oct 2011 15:58:56 +0000 http://devlog.info/?p=113#comment-68989 I don't understand why everyone is down-talking this article. It's still educational. And yes, if the $_COOKIE value was removed from $_REQUEST, that would be awesome, and I would change a lot of my code so I didn't have to look for both $_GET and $_POST. But for now, it will remain the same. I don’t understand why everyone is down-talking this article. It’s still educational. And yes, if the $_COOKIE value was removed from $_REQUEST, that would be awesome, and I would change a lot of my code so I didn’t have to look for both $_GET and $_POST. But for now, it will remain the same.

]]> By: Wil Moore III http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-66792 Wil Moore III Tue, 04 Oct 2011 16:54:54 +0000 http://devlog.info/?p=113#comment-66792 The arguments that "GET/POST" will _never_ be overwritten are shortsighted at best. The simple fact that this is something that can be set in php.ini (most ridiculous _feature_ of a programming language BTW) means you should still steer clear. If you never ship software or never have to support software in the wild, this is easy to dismiss; however, it is a problem. Would you really want to potentially introduce subtle bugs and security gaps? The arguments that “GET/POST” will _never_ be overwritten are shortsighted at best. The simple fact that this is something that can be set in php.ini (most ridiculous _feature_ of a programming language BTW) means you should still steer clear. If you never ship software or never have to support software in the wild, this is easy to dismiss; however, it is a problem. Would you really want to potentially introduce subtle bugs and security gaps?

]]> By: Web Farmer http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-23157 Web Farmer Thu, 02 Dec 2010 07:53:15 +0000 http://devlog.info/?p=113#comment-23157 hi folks, I'm not agree with "Any cookie ever set on a users machine will always override any GET or POST data -- creating "sticky" variable data" Because in php.ini variables_order = "GPCS"(wrt php 5.2.8) So GET/POST form value never ever be overwritten by Cookie. Thanks, Sachin Pethani hi folks,

I’m not agree with “Any cookie ever set on a users machine will always override any GET or POST data — creating “sticky” variable data”

Because in php.ini
variables_order = “GPCS”(wrt php 5.2.8)

So GET/POST form value never ever be overwritten by Cookie.

Thanks,
Sachin Pethani

]]> By: 為何在 PHP 中盡量不要使用 $_REQUEST » Blogs of OpenFoundry - OpenFoundry團隊非官方網誌串聯平台 http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-21560 為何在 PHP 中盡量不要使用 $_REQUEST » Blogs of OpenFoundry - OpenFoundry團隊非官方網誌串聯平台 Sun, 07 Nov 2010 02:32:41 +0000 http://devlog.info/?p=113#comment-21560 [...] Why PHP’s $_REQUEST is dangerous [...] [...] Why PHP’s $_REQUEST is dangerous [...]

]]> By: 為何在 PHP 中盡量不要使用 $_REQUEST « Ant's ATField http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-21538 為何在 PHP 中盡量不要使用 $_REQUEST « Ant's ATField Sat, 06 Nov 2010 18:20:02 +0000 http://devlog.info/?p=113#comment-21538 [...] Why PHP’s $_REQUEST is dangerous [...] [...] Why PHP’s $_REQUEST is dangerous [...]

]]> By: Onto Development http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-19758 Onto Development Fri, 08 Oct 2010 16:16:36 +0000 http://devlog.info/?p=113#comment-19758 The example in this article of Cookie abuse misses a more important development point. "If an attacker some how managed to set a cookie -- perhaps through some Javascript injection ..." Sounds like you have bigger issues on your hands if this happens. Lock down your user content and you won't have this problem or the other hundreds of malicious injections, many much worse than a simple prevention of use of your site. The example in this article of Cookie abuse misses a more important development point.

“If an attacker some how managed to set a cookie — perhaps through some Javascript injection …”

Sounds like you have bigger issues on your hands if this happens. Lock down your user content and you won’t have this problem or the other hundreds of malicious injections, many much worse than a simple prevention of use of your site.

]]> By: Miguel Cruz http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-19141 Miguel Cruz Mon, 27 Sep 2010 11:53:22 +0000 http://devlog.info/?p=113#comment-19141 Roberto: You are missing the point. It's true that all user data is fundamentally untrustable. However, the thinking in your message is all about protecting the server from compromise. That's not the issue here. The issue here is protecting users from abuse. Allowing cookie data to mingle with form data doesn't change the vigilance that is necessary in order to prevent your server from compromise. However, it does make it easier for miscreants to trick unwitting users into unwittingly performing actions on your server which they are nominally allowed to do but might not have chosen to. Roberto: You are missing the point.

It’s true that all user data is fundamentally untrustable.

However, the thinking in your message is all about protecting the server from compromise. That’s not the issue here. The issue here is protecting users from abuse.

Allowing cookie data to mingle with form data doesn’t change the vigilance that is necessary in order to prevent your server from compromise.

However, it does make it easier for miscreants to trick unwitting users into unwittingly performing actions on your server which they are nominally allowed to do but might not have chosen to.

]]> By: Roberto Neumann http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-18268 Roberto Neumann Sat, 11 Sep 2010 04:08:12 +0000 http://devlog.info/?p=113#comment-18268 Correct me if I´m wrong, but this sounds like $_COOKIE was the only $_REQUEST-element that can be misused by users. But considering GPC, all three arrays do usually get user-input - so whereever you´re using $_REQUEST, even if the C has been removed, the user could still give you some faulty data to deal with, because the user can still infuse them via $_GET (address bar) or $_POST (using a local HTML form to call your php-file). So there is no true point in removing C from GPC, because all three arrays are ultimately user-controlled and have to be dealt with! Changing its priority makes much more sense in my opinion -> CGP. You´ll just fix some possible bugs either way, but there´s always a risk to deal with when dealing with user-controlled variables - no matter where they come from. Correct me if I´m wrong, but this sounds like $_COOKIE was the only $_REQUEST-element that can be misused by users. But considering GPC, all three arrays do usually get user-input – so whereever you´re using $_REQUEST, even if the C has been removed, the user could still give you some faulty data to deal with, because the user can still infuse them via $_GET (address bar) or $_POST (using a local HTML form to call your php-file).

So there is no true point in removing C from GPC, because all three arrays are ultimately user-controlled and have to be dealt with! Changing its priority makes much more sense in my opinion -> CGP. You´ll just fix some possible bugs either way, but there´s always a risk to deal with when dealing with user-controlled variables – no matter where they come from.

]]> By: Christian Sciberras http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-16045 Christian Sciberras Fri, 16 Jul 2010 22:54:16 +0000 http://devlog.info/?p=113#comment-16045 Jeremy did you even read the article? Spyros is wrong, but so are you. The author specifically said that $_REQUEST is only insecure because of $_COOKIE in request_order, which for your information, has been disabled for quite some time. So to sum it up, $_REQUEST, is a very useful feature which is best used with newer versions of PHP. There are no other ulterior "major security risks". Jeremy did you even read the article? Spyros is wrong, but so are you.

The author specifically said that $_REQUEST is only insecure because of $_COOKIE in request_order, which for your information, has been disabled for quite some time.

So to sum it up, $_REQUEST, is a very useful feature which is best used with newer versions of PHP.

There are no other ulterior “major security risks”.

]]> By: Jeremy Simkins http://devlog.info/2010/02/04/why-php-request-array-is-dangerous/comment-page-1/#comment-14870 Jeremy Simkins Wed, 26 May 2010 16:19:58 +0000 http://devlog.info/?p=113#comment-14870 I make it a point to never use $_REQUEST. Even studying for the ZCE explains that $_REQUEST is a major security risk. Spyros, you are completely wrong. Thanks for the article, very useful information. Let's hope people learn from this... I make it a point to never use $_REQUEST. Even studying for the ZCE explains that $_REQUEST is a major security risk. Spyros, you are completely wrong.

Thanks for the article, very useful information. Let’s hope people learn from this…

]]>