Привет!
Scott Fletcher wrote:
> Can the $_REQUEST be trusted?? The documentation said it is the combination
> of $_GET, $_POST, $_COOKIE & $_FILE. If the PHPSESSID is found in
> $_REQUEST, I can tell it is from $_COOKIE. I wonder if the PHPSESSID can be
> stored into $_REQUEST if hte $_COOKIE is unavailable or turned off?
>
Think of it as channels. You have 4 channels your data can come in:
1) GET (the link parameters or a form sent on the GET channel)
2) POST (a POSTed form)
3) COOKIE (data stored on the client machine IF the client machine
will accept doing that for you)
Now, as the song goes, "you only get what you give". If you tried
storing your data in a cookie $_REQUEST will have the data *only* if the
cookie worked. For you to find it in there anyway you should send it
back on multiple channels (but them why should you need a cookie when
you are sure you are going to get anyway from another channel?)
The basic weak spot in using $_REQUEST is in that people may have your
software believe that it received the input while they do send it from
another channel:
1) me disables the cookies on my browser
2) me adds ?yourCookieName=myValue on the link (or
&yourCookieName=myValue if you already have stuff on the GET line)
3) you (your software) thinks you got the cookie and uses it. What
happens next depends on the nature of data involved.
That's possible if you use the $_REQUEST. Again, it might mean nothing
in your context (that is cookie value might be absolutely irrilevant
from a security point-of-view). But it should be taken in consideration.
Пока
Альберто
Киев
@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
