Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does PHP's $_REQUEST method have a security problem?

Tags:

security

php

The textbook I read says that $_REQUEST has security problem so we better use $_POST.

Is this OK?

like image 408
jim-prove Avatar asked Jul 19 '09 02:07

jim-prove

People also ask

Are .PHP sites safe?

PHP is as secure as any other major language. PHP is as secure as any major server-side language. With the new PHP frameworks and tools introduced over the last few years, it is now easier than ever to manage top-notch security.

Is GET method insecure?

GET is used when we want to pass the data which is not going to change (say static), addition to this Get is unsecured but it doesn't need any user input.

What is the purpose $_ request variable?

PHP $_REQUEST is a PHP super global variable which is used to collect data after submitting an HTML form. The example below shows a form with an input field and a submit button. When a user submits the data by clicking on "Submit", the form data is sent to the file specified in the action attribute of the <form> tag.

What are the use of the $_ request variable and $_ server?

The PHP $_REQUEST is a PHP superglobal variable that is used to collect the data after submitting the HTML forms as the $_REQUEST variable is useful to read the data from the submitted HTML open forms. $_REQUEST is an associative array that by default contains contents of an $_GET, $_POST, and $_COOKIE.

2 Answers

I would say that it is dangerous to characterise $_POST as more secure than $_REQUEST.

If the data is not being validated and sanitized before being used, you have a possible vector of attack.

In short: It doesn't matter where the data comes from if it is not being handled in a secure manner.

like image 68
Toby Hede Avatar answered Oct 14 '22 04:10

Toby Hede

Well, the reason that $_REQUEST has issues is that it picks up values from $_GET, $_POST, and $_COOKIE, which means that if you code things certain ways and make certain invalid trusting-the-client assumptions, a malicious user could take advantage of that by supplying a value in a different place than you expected and overriding the one you were trying to pass.

This also means that you may have given your henchman incorrect instructions, because it may have been a GET or COOKIE value that he was picking up from $_REQUEST. You would need to use whatever place the value you're looking for actually shows up, not necessarily $_POST.

like image 21
chaos Avatar answered Oct 14 '22 04:10

chaos
Sign in to Comment

Related questions

How to automatically import the namespace of a class in VS Code?
Nginx connect() failed error
Nginx PHP Failing with Large File Uploads (Over 6 GB)
How to insert special characters into a database?
Move Value in PHP Array to the Beginning of the Array
jQuery $.post processing JSON response
PHP function returning two arrays
Group array values based on key in php?
Regex to match a slug?
Validate IBAN PHP
Using integers for registered date claims is deprecated, please use DateTimeImmutable objects instead [duplicate]
php object attribute with dot in name
How to generate date for MySQL DATETIME type with PHP?
How to get root dir on PHP
Checking if string contains "HTTP://"
group array of php objects by object property
PHP - How to use strtolower in query
PHP cURL, read remote file and write contents to local file
Insert variable into Header Location PHP
if statement in the middle of concatenation? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!