FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176434 is a reply to message #176432] Fri, 06 January 2012 19:34 Go to previous messageGo to previous message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
Senior Member
Thomas Mlynarczyk wrote:
> Jerry Stuckle schrieb:
>> On 1/6/2012 6:05 AM, Thomas Mlynarczyk wrote:
>>> Jerry Stuckle schrieb:
>>>
>>>> $REQUESTS is quite dangerous. You never know whether it comes from
>>>> $_GET, $_POST or $_COOKIE, for instance.
>>>
>>> True, you don't know. But does it matter?
>>
>> No, it doesn't matter if you aren't concerned about security.
>
> I was hoping for some objective arguments, but well...
>
> Okay, let me rephrase this. Suppose you have a parameter foo which is
> expected to be sent via $_POST only. So if it's being sent via $_GET you
> refuse it as invalid. Okay. So all the attacker has to do is send it via
> $_POST and you will happily accept it. Now of course you must ensure
> that this foo parameter, even if sent via $_POST, can do no evil. You
> must properly validate it. But once you're there, you might as well
> accept it via $_GET, for what difference does it make now? You validate
> it, so it can do no harm.
>
> I repeat: An attacker can send ANYTHING via GET or POST or COOKIE as he
> chooses. YOU, therefore, cannot say "this came via POST as intended, so
> it's safe". You must not rely on the data source. Therefor, the data
> source should be irrelevant to your application and your application
> must be designed so that it doesn't matter if the data comes via GET,
> POST or COOKIE. In other words: When some evil person knocks on your
> door, it really doesn't matter if he came by train or by car to your
> doorstep. The same holds for a nice guy visiting you.
>
> Greetings,
> Thomas
>
well its a shade easier for a script kiddie to set a get variable than a
post and a bit harder to set a cookie...

But the whole thing is all about the context in which you are running a
website.

(Or Jerry's ego, whatever)
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Nov 22 18:44:29 GMT 2024

Total time taken to generate the page: 0.05268 seconds