Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does PHP's $_REQUEST method have a security problem?

Tags:

security

php

The textbook I read says that $_REQUEST has security problem so we better use $_POST.

Is this OK?

like image 408
jim-prove Avatar asked Jul 19 '09 02:07

jim-prove


People also ask

Are .PHP sites safe?

PHP is as secure as any other major language. PHP is as secure as any major server-side language. With the new PHP frameworks and tools introduced over the last few years, it is now easier than ever to manage top-notch security.

Is GET method insecure?

GET is used when we want to pass the data which is not going to change (say static), addition to this Get is unsecured but it doesn't need any user input.

What is the purpose $_ request variable?

PHP $_REQUEST is a PHP super global variable which is used to collect data after submitting an HTML form. The example below shows a form with an input field and a submit button. When a user submits the data by clicking on "Submit", the form data is sent to the file specified in the action attribute of the <form> tag.

What are the use of the $_ request variable and $_ server?

The PHP $_REQUEST is a PHP superglobal variable that is used to collect the data after submitting the HTML forms as the $_REQUEST variable is useful to read the data from the submitted HTML open forms. $_REQUEST is an associative array that by default contains contents of an $_GET, $_POST, and $_COOKIE.


2 Answers

I would say that it is dangerous to characterise $_POST as more secure than $_REQUEST.

If the data is not being validated and sanitized before being used, you have a possible vector of attack.

In short: It doesn't matter where the data comes from if it is not being handled in a secure manner.

like image 68
Toby Hede Avatar answered Oct 14 '22 04:10

Toby Hede


Well, the reason that $_REQUEST has issues is that it picks up values from $_GET, $_POST, and $_COOKIE, which means that if you code things certain ways and make certain invalid trusting-the-client assumptions, a malicious user could take advantage of that by supplying a value in a different place than you expected and overriding the one you were trying to pass.

This also means that you may have given your henchman incorrect instructions, because it may have been a GET or COOKIE value that he was picking up from $_REQUEST. You would need to use whatever place the value you're looking for actually shows up, not necessarily $_POST.

like image 21
chaos Avatar answered Oct 14 '22 04:10

chaos