[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET in mod_rewrite

Jeremy Visser jeremy.visser at gmail.com
Wed Aug 29 09:32:40 GMT 2007


jacobsantos at branson.com wrote:
> 1. Using $_REQUEST is like asking hackers to pwn your site. "Yes, I want
> you to hack me" Don't use it. The reason for WordPress using $_POST for
> form data and $_GET for url data is for the same reason register globals
> is terrible security risk. $_REQUEST is similar to using $_REQUEST and
> you don't know if it is coming from the Server (HTTP), form, or url.

Huh ?!

It is possible to inject malicious data in GET, POST, and COOKIEs, so,
say, only using $_POST will mean that rather than a cracker being able
to use GET to run the exploit, he will have to spend about 30 seconds
more of his time (remember: crackers have a lot of patience) creating a
simple HTML form that POSTs instead. Not any more secure.


More information about the wp-hackers mailing list