FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176433 is a reply to message #176432] Fri, 06 January 2012 19:24 Go to previous messageGo to previous message
M. Strobel is currently offline  M. Strobel
Messages: 386
Registered: December 2011
Karma:
Senior Member
Am 06.01.2012 20:14, schrieb Thomas Mlynarczyk:
> Jerry Stuckle schrieb:
>> On 1/6/2012 6:05 AM, Thomas Mlynarczyk wrote:
>>> Jerry Stuckle schrieb:
>>>
>>>> $REQUESTS is quite dangerous. You never know whether it comes
>>>> from
>>>> $_GET, $_POST or $_COOKIE, for instance.
>>>
>>> True, you don't know. But does it matter?
>>
>> No, it doesn't matter if you aren't concerned about security.
>
> I was hoping for some objective arguments, but well...
>
> Okay, let me rephrase this. Suppose you have a parameter foo
> which is expected to be sent via $_POST only. So if it's being
> sent via $_GET you refuse it as invalid. Okay. So all the
> attacker has to do is send it via $_POST and you will happily
> accept it. Now of course you must ensure that this foo parameter,
> even if sent via $_POST, can do no evil. You must properly
> validate it. But once you're there, you might as well accept it
> via $_GET, for what difference does it make now? You validate it,
> so it can do no harm.
>
> I repeat: An attacker can send ANYTHING via GET or POST or COOKIE
> as he chooses. YOU, therefore, cannot say "this came via POST as
> intended, so it's safe". You must not rely on the data source.
> Therefor, the data source should be irrelevant to your
> application and your application must be designed so that it
> doesn't matter if the data comes via GET, POST or COOKIE. In
> other words: When some evil person knocks on your door, it really
> doesn't matter if he came by train or by car to your doorstep.
> The same holds for a nice guy visiting you.
>
> Greetings,
> Thomas
>
Quite near to a mathematical proof.

/Str.

To your signature: Dans ce cas ceux qui ont tort ne sont pas
nombreux.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 22:49:41 GMT 2024

Total time taken to generate the page: 0.06172 seconds