FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176432 is a reply to message #176424] Fri, 06 January 2012 19:14 Go to previous messageGo to previous message
Thomas Mlynarczyk is currently offline  Thomas Mlynarczyk
Messages: 131
Registered: September 2010
Karma:
Senior Member
Jerry Stuckle schrieb:
> On 1/6/2012 6:05 AM, Thomas Mlynarczyk wrote:
>> Jerry Stuckle schrieb:
>>
>>> $REQUESTS is quite dangerous. You never know whether it comes from
>>> $_GET, $_POST or $_COOKIE, for instance.
>>
>> True, you don't know. But does it matter?
>
> No, it doesn't matter if you aren't concerned about security.

I was hoping for some objective arguments, but well...

Okay, let me rephrase this. Suppose you have a parameter foo which is
expected to be sent via $_POST only. So if it's being sent via $_GET you
refuse it as invalid. Okay. So all the attacker has to do is send it via
$_POST and you will happily accept it. Now of course you must ensure
that this foo parameter, even if sent via $_POST, can do no evil. You
must properly validate it. But once you're there, you might as well
accept it via $_GET, for what difference does it make now? You validate
it, so it can do no harm.

I repeat: An attacker can send ANYTHING via GET or POST or COOKIE as he
chooses. YOU, therefore, cannot say "this came via POST as intended, so
it's safe". You must not rely on the data source. Therefor, the data
source should be irrelevant to your application and your application
must be designed so that it doesn't matter if the data comes via GET,
POST or COOKIE. In other words: When some evil person knocks on your
door, it really doesn't matter if he came by train or by car to your
doorstep. The same holds for a nice guy visiting you.

Greetings,
Thomas

--
Ce n'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!
(Coluche)
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 22:46:10 GMT 2024

Total time taken to generate the page: 0.04428 seconds