What the hell is this php $_REQUEST
With $_REQUEST you can access GET, POST,and cookies, $_GET['id'] or $_POST['id'] COOKIES['id'] can be simply accesed as $_REQUEST['id'].
Order/priority for input source
Two php ini variable the older gpc_order and the newer variables_order. Both settings reflect the relative priority of each input source. The default order for gpc_order is GPC (for GET, POST, cookie, respectively), where cookie has the highest priority and the default order for variables_order is EGPCS (system Environment, GET, POST, cookie, Server environment, respectively). So, if parameter a id is supplied via
a GET and a cookie, the cookie’s value for id is preferred.
Vulnerability with php $_REQUEST
While $_REQUEST seems convenient, and one can have no problem with conflating GET and POST parameters. but the problem is that it also by default include $_COOKIE and no developer will ever want to treat them same as GET and POST.
Think of a situation where you allow a user to see a text content when a cookie is set
if(isset($_REQUEST[‘id’])){ //here request variable comes from a cookie
echo "you can see this";
}else{
echo "sorry";
}
An intruder can just call the script with id as url parameter ?id=9 and see the value which is allowed only if id value is set by a cookie.So
Don't worry be brave use best approach against php $_REQUEST
its always better to just use the input method-specific superglobals instead.
if(isset($_COOKIE[‘id’])){
echo "you can see this";
}else{
echo "sorry";
}
Though $_REQUEST could be a very basic level of threat and as a programmer(any language) you need to always take care of several other big threats things like - SQL injection, CSRF, session fixation attacks etc. in your code. But still it better to start code by keeping in mind even this kind of basic detail.
More on PHP Secure Coding
7 comments:
You have shared really such a nice information which is helped me so much and I think it will help to many other people.
magento development
4 years = guru != true.
May be rising of guru...
This is *not* a "vulnerability". This is a "best practice" at best...sure, using $_REQUEST irresponsibly can *lead* to vulnerabilities, but the issue isn't with $_REQUEST itself (nor PHP, which is doing what it should in this case).
$_REQUEST is a convenience variable and, in reality, should never be used when you can use the more specific superglobal (like $_POST or $_GET) as you mention.
Is this a joke? $_POST, $_GET, and $_COOKIE can all be manipulated by the client. Use sessions instead.
Hi, Chris
As you are saying that it is more about best practice and if used irresponsibly it lead to vulnerabilities. I just like you are trying to say that a gun is just for Human Safey, It's a weapon ONLY if used irresponsibly :)
Post a Comment