FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176426 is a reply to message #176421] Fri, 06 January 2012 17:05 Go to previous messageGo to previous message
M. Strobel is currently offline  M. Strobel
Messages: 386
Registered: December 2011
Karma:
Senior Member
Am 06.01.2012 11:07, schrieb Erwin Moller:
> On 1/6/2012 12:28 AM, M. Strobel wrote:
>> Am 05.01.2012 14:08, schrieb Erwin Moller:
>>>

-----------cut on various places

> Hi Strobel,
>
> And why do you prefer $_REQUEST over using the exact superglobal?
> You do know where the information is supposed to come from.
>
Yes I know that exactly. But why care? When I expect data I do

function getIntFromForm($key, $def=null) {
if (isset($_REQUEST[$key])) {
if ($a = sscanf($_REQUEST[$key], '%d')) { // unsigned
$def = $a[0];
} else {
# keine Zahl im Wert $key / no number
}
} else {
# key nicht gefunden / no key
}
return $def;
}

>
>>
>> But then I have to mention my setup with a sort of call
>> dispatcher: the called function is looked up in a list taking
>> into account $_SERVER['REQUEST_METHOD'].
>
> That explanation makes no sense to me without any more context.
> Are you saying you are limiting access to certain function by
> checking the used $_SERVER['REQUEST_METHOD']?
> If so, that won't help at all, since anybody could still use the
> "right" REQUEST_METHOD and manipulate the contents of GPC at the
> same time.

This is correct, it is not a real protection, but part of the
request processing. And the correct request processing takes care
to only read in and verify expected data.

>>
>> All user input must be verified, no matter if it's in $_GET,
>> $_POST, $_COOKIE or $_REQUEST for that matter - they can all be
>> faked!
>
> Of course.
> But how does that relate to using $_REQUEST over the exact
> superglobal?

if (is-a-post-operation AND data-expected)
read post data;
elseif (is-a-get-operation AND data-expected)
read get data;

What for? Just do
if (data-expected) read request data.


> If you think I am wrong about that, please tell me why.
> I had this discussion a few years back too, but the guy turned
> out to be a troll (and silly me took the bait!), so that turned
> out to be a dead end.

Always check data on input :-)

>
> Regards,
> Erwin Moller
>

/Str.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 23:05:28 GMT 2024

Total time taken to generate the page: 0.04339 seconds