[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET in mod_rewrite

Rob Miller r at robm.me.uk
Tue Aug 28 17:24:31 GMT 2007


jacobsantos at branson.com wrote:
> 1. Using $_REQUEST is like asking hackers to pwn your site. "Yes, I 
> want you to hack me" Don't use it. The reason for WordPress using 
> $_POST for form data and $_GET for url data is for the same reason 
> register globals is terrible security risk. $_REQUEST is similar to 
> using $_REQUEST and you don't know if it is coming from the Server 
> (HTTP), form, or url.
>
> You must know since you created the plugin, so find out and use the 
> correct super global. If you kept this and released it GPL, the first 
> thing I will do is convert it to the right super global.
What on earth? So long as you handle the data appropriately it doesn't 
matter where it comes from. CSRF attacks, for example, are possible with 
both GET and POST; so are SQL injections; so are XSS attacks, etc.

Only using $_GET or only using $_POST will not make your scripts even 
slightly more secure.

-- 
Rob Miller
http://robm.me.uk/



More information about the wp-hackers mailing list