NYCPHP Meetup

[Peter Sawczynec]

$_REQUEST provides an opportunity of some degree for a hack and/or an
attack against a script or application.  

Worst case secenario is the you as new programmer on a complex legacy
application that incorporates $_REQUEST has actually taken over a script
product that has willful backdoor hacks integrated into the programming,
such as that deep in some large class object or buried in a benign PHP
include file there could plausably be functionality that is expecting
and operating on variables that can at anytime be forced into the script
logic stream by simply adding them to the URL GET or POST data.

The above noted is clearly a very bad worst case, but has a higher
probability of occurring that you might first consider becasue
statistically more black hat attacks and breakins occur from inside
people inside the company rather that external attackers.

Now if you employ sanitizing techniques on all your variables that not
only cleans up the expected varibales but additionally proactively
destroys or denies all other unexpected variables than you might be
Okay. 

For example, in my last sanitizing scheme, I maintained a white list
array of expected variable names and all REQUEST data was first compared
against the white list before it was operated on. All other variable
names not on the white list were not only ignored but explicitly
destroyed. Additionally, in a script when I was expecting POST data, I
explicitly destroyed the GET data. 

The additional rub of dealing with GET, POST and COOKIE data with the
same variable names is also a potential downside that might not affect
you but might trip up a future programmer who works on your code later. 

I think the case against using $_REQUEST is fairly solid and if an
existing script is allowing other users and applications from anywhere
in the world to essentially submit any kind of variables by any method
they please, then we might have a 'situation' of some sort on our hands
that likely needs careful review and re-review.

Warmest regards, 
 
Peter Sawczynec 
Technology Dir.
Sun-code Interactive
Sun-code.com 
646.316.3678 
ps at sun-code.com



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Brian D.
Sent: Friday, October 12, 2007 1:00 PM
To: NYPHP Talk
Subject: [nycphp-talk] $_REQUEST: Bad Form?

I can't find where I read it originally, but somewhere I've been told
or read that "using $_REQUEST is bad form." I understand that in cases
where you want to force a $_POST request, but if you might receive
$_GET or $_POST then isn't is better than doing if/elses?

The only related thing I could find on Google was this guy (
http://mypetprogrammer.com/blog/?p=15 ) but he seems to erroneously
believe that using $_POST somehow saves you from a SQL injection
attack.

I'm also thinking that some servers don't use the $_REQUEST array.

Can you define why it's bad form? When is it considered acceptable to
use?

Thanks!
- B.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php