>Can the $_REQUEST be trusted?? The documentation said it is the combination >of $_GET, $_POST, $_COOKIE & $_FILE. If the PHPSESSID is found in >$_REQUEST, I can tell it is from $_COOKIE. I wonder if the PHPSESSID can be >stored into $_REQUEST if hte $_COOKIE is unavailable or turned off?
Since *NONE* of $_GET $_POST or $_COOKIE can be trusted, I don't think any combination of them should be trusted. $_REQUEST is useful when you con't *CARE* if the data came from GET/POST, and have a script that accepts either. I have written several such scripts, and the interface of one site/application accesses it with GET, and the other with POST, and I really don't give a [bleep] whether the incoming data is GET or POST. It's all coming from the Internet and is not to be trusted. Forging a POST is not significantly more "tricky" than changing a URL. Just do "Save As..." HTML from somebody's site, change the HTML FORM elements, and then open the local file in your browser and POST away. I've even used this technique to make use of "broken" sites simply by providing the FORM elements they forgot that their processing script told me it needed. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
