Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How evil is $_REQUEST and what are some acceptable Band-Aid countermeasures?

Tags:

security

php

xss

I've come across a couple of popular PHP-related answers recently that suggested using the superglobal $_REQUEST, which I think of as code smell, because it reminds me of register_globals.

Can you provide a good explanation/evidence of why $_REQUEST is bad practice? I'll throw out a couple of examples I've dug up, and would love more information/perspective on both theoretical attack vectors and real-world exploits, as well as suggestions of reasonable steps the sysadmin can take to reduce risk (short of rewriting the app ... or, do we need to go to management and insist on a rewrite?).

Example vulnerabilities: Default GPC array merge-order means that COOKIE values override GET and POST, so $_REQUEST can be used for XSS and HTTP attacks. PHP lets cookie vars overwrite the superglobal arrays. First 10 slides of this talk give examples (whole talk is great). phpMyAdmin exploit example of CSRF attack.

Example countermeasures: Reconfigure $_REQUEST array merge-order from GPC to CGP so GET/POST overwrite COOKIE, not the other way around. Use Suhosin to block overwrite of superglobals.

(Also, wouldn't be asking if I thought my question was a dupe, but happily the overwhelming SO answer to "When and why should $_REQUEST be used instead of $_GET / $_POST / $_COOKIE?" was "Never.")

like image 388
joelhardi Avatar asked Nov 03 '08 13:11

joelhardi


People also ask

What is $_ request?

PHP $_REQUEST is a PHP super global variable which is used to collect data after submitting an HTML form. The example below shows a form with an input field and a submit button. When a user submits the data by clicking on "Submit", the form data is sent to the file specified in the action attribute of the <form> tag.

Why do we use $_ request variable?

The $_REQUEST variable is used to read the data from the submitted HTML form. Sample code: Here, the $_REQUEST variable is used to read the submitted form field with the name 'username'. If the form is submitted without any value, then it will print as “Name is empty”, otherwise it will print the submitted value.


2 Answers

Just treat it as it is: a method to get data from the user. It has to be sanitised and validated, so why should you care if it came in the form of a POST, a GET or a cookie? They all come from the user, so saying 'they can be spoofed!' is superfluous.

like image 81
Javier Avatar answered Oct 05 '22 09:10

Javier


$_REQUEST is a evil as $_GET, $_POST and $_COOKIE. While i think there are valid scenarios for using $_REQUEST but there is one good reason not using $_REQUEST and label it as "bad practice".

The main reason using $_REQUEST is that parameter can get transferred in $_POST or $_GET. By accessing $_REQUEST you don't have to check both $_GET and $_POST it the value is set. The problem is that the ini setting gpc_order can change the behavior how $_REQUEST is build. This setting may differ from server to server and you script may change the behavior.

like image 31
Joe Scylla Avatar answered Oct 05 '22 09:10

Joe Scylla