FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176430 is a reply to message #176426] Fri, 06 January 2012 18:07 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 1/6/2012 12:05 PM, M. Strobel wrote:
> Am 06.01.2012 11:07, schrieb Erwin Moller:
>> On 1/6/2012 12:28 AM, M. Strobel wrote:
>>> Am 05.01.2012 14:08, schrieb Erwin Moller:
>>>>
>
> -----------cut on various places
>
>> Hi Strobel,
>>
>> And why do you prefer $_REQUEST over using the exact superglobal?
>> You do know where the information is supposed to come from.
>>
> Yes I know that exactly. But why care? When I expect data I do
>
> function getIntFromForm($key, $def=null) {
> if (isset($_REQUEST[$key])) {
> if ($a = sscanf($_REQUEST[$key], '%d')) { // unsigned
> $def = $a[0];
> } else {
> # keine Zahl im Wert $key / no number
> }
> } else {
> # key nicht gefunden / no key
> }
> return $def;
> }
>
>>
>>>
>>> But then I have to mention my setup with a sort of call
>>> dispatcher: the called function is looked up in a list taking
>>> into account $_SERVER['REQUEST_METHOD'].
>>
>> That explanation makes no sense to me without any more context.
>> Are you saying you are limiting access to certain function by
>> checking the used $_SERVER['REQUEST_METHOD']?
>> If so, that won't help at all, since anybody could still use the
>> "right" REQUEST_METHOD and manipulate the contents of GPC at the
>> same time.
>
> This is correct, it is not a real protection, but part of the
> request processing. And the correct request processing takes care
> to only read in and verify expected data.
>
>>>
>>> All user input must be verified, no matter if it's in $_GET,
>>> $_POST, $_COOKIE or $_REQUEST for that matter - they can all be
>>> faked!
>>
>> Of course.
>> But how does that relate to using $_REQUEST over the exact
>> superglobal?
>
> if (is-a-post-operation AND data-expected)
> read post data;
> elseif (is-a-get-operation AND data-expected)
> read get data;
>
> What for? Just do
> if (data-expected) read request data.
>
>
>> If you think I am wrong about that, please tell me why.
>> I had this discussion a few years back too, but the guy turned
>> out to be a troll (and silly me took the bait!), so that turned
>> out to be a dead end.
>
> Always check data on input :-)
>
>>
>> Regards,
>> Erwin Moller
>>
>
> /Str.

You should KNOW whether it is a GET or POST operation, and not allow
hackers to slip things in other ways.

Of course, when you don't care about your sites being hacked, you can do
anything you want.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 23:04:27 GMT 2024

Total time taken to generate the page: 0.04033 seconds