View Single Post
03-17-2008, 04:43 AM
Join Date: Feb 2008
Although $_REQUEST sounds yummy :) it has its downsides. Big downsides as described in this thread.
Nowdays everything is crawling with script kiddies and XSS maniacs - just remember the whole story with phpBB about two years ago when they were having major security issues.
Well, let's get back to the real thing.
If you are using POST or GET or any other method - access it trough its "interface" ( $_POST, $_GET etc).
Another thing you could do - is wrap your superglobals.
I was searching for that kind of wrapper and I've found
- just wrap your superglobals and you are a bit more protected using them - especially the $_GET superglobal. Why?
Well, majority of XSS attacks come trough that specific superglobal - SQL Injections, JS injections etc. If you are using $_GET['id'] just for passing IDs from your table - why not attach a checking system to it, as you would probably do for your forms (text field - only numeric, max 4 chars - for example).
Maybe I was a bit offtopic but I've written everything that comes to mind about superglobals.
Back from sysadmins to the programmers.
View Public Profile
Send a private message to abiko
Visit abiko's homepage!
Find More Posts by abiko