TalkPHP - View Single Post

Salathe · 03-17-2008, 02:25 AM

Village Idiot, I invite you to explain how using $_REQUEST presents a possible security risk above and beyond anything already available for $_GET/POST/COOKIE individually. It's all well and good saying "if exploited right, a security risk" but how are folks to learn if they're told how that risk is put into place and why?

To change the order in which the variables are parsed into $_REQUEST, you can use the variables_order (manual) php.ini directive which is "EGPCS" by default meaning that the order is ENVIRONMENT, GET, POST, COOKIE then finally SERVER. For the sake of $_REQUEST, if both $_GET['action'] and $_POST['action'] exist, then $_REQUEST['action'] will be given the value of whatever comes last in the variables_order list (so, POST by default). Note: ENV and SERVER values aren't mushed into the REQUEST superglobal variable, just GET/POST/COOKIE.

I can't remember the last time that I used $_REQUEST in anything other than experimenting -- I've no reason in my everyday code to cater for one item of user input coming in from more than one place and if that were the case I'd likely want to know which place it came from anyway.

03-17-2008, 02:25 AM	#6 (permalink)
Salathe Moderateur Join Date: Apr 2007 Posts: 1,393 Thanks: 5	Village Idiot, I invite you to explain how using $_REQUEST presents a possible security risk above and beyond anything already available for $_GET/POST/COOKIE individually. It's all well and good saying "if exploited right, a security risk" but how are folks to learn if they're told how that risk is put into place and why? To change the order in which the variables are parsed into $_REQUEST, you can use the `variables_order` (manual) php.ini directive which is "EGPCS" by default meaning that the order is ENVIRONMENT, GET, POST, COOKIE then finally SERVER. For the sake of $_REQUEST, if both $_GET['action'] and $_POST['action'] exist, then $_REQUEST['action'] will be given the value of whatever comes last in the `variables_order` list (so, POST by default). Note: ENV and SERVER values aren't mushed into the REQUEST superglobal variable, just GET/POST/COOKIE. I can't remember the last time that I used $_REQUEST in anything other than experimenting -- I've no reason in my everyday code to cater for one item of user input coming in from more than one place and if that were the case I'd likely want to know which place it came from anyway.