[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET
in mod_rewrite
Stephane Daury
wordpress at tekartist.org
Thu Aug 30 04:01:29 GMT 2007
On Aug 29, 2007, at 5:32, Jeremy Visser wrote:
> jacobsantos at branson.com wrote:
>> 1. Using $_REQUEST is like asking hackers to pwn your site. "Yes,
>> I want
>> you to hack me" Don't use it. The reason for WordPress using
>> $_POST for
>> form data and $_GET for url data is for the same reason register
>> globals
>> is terrible security risk. $_REQUEST is similar to using $_REQUEST
>> and
>> you don't know if it is coming from the Server (HTTP), form, or url.
>
> Huh ?!
>
> It is possible to inject malicious data in GET, POST, and COOKIEs, so,
> say, only using $_POST will mean that rather than a cracker being able
> to use GET to run the exploit, he will have to spend about 30 seconds
> more of his time (remember: crackers have a lot of patience)
> creating a
> simple HTML form that POSTs instead. Not any more secure.
I think Jacob's emphasis was on the fact that it's bad to lose track
of where your data is coming from as a coder.
By using $_REQUEST, you give an attacker a chance to overwrite the
content you expected by passing it twice through different sources.
That's one of the reasons why $_REQUEST does not includew the content
of $_FILES since PHP 4.3.0.
See http://www.php.net/manual/en/ini.core.php#ini.variables-order
Stephane
More information about the wp-hackers
mailing list