[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET in mod_rewrite

jacobsantos at branson.com jacobsantos at branson.com
Tue Aug 28 17:30:27 GMT 2007


Rob Miller wrote:
> jacobsantos at branson.com wrote:
>> 1. Using $_REQUEST is like asking hackers to pwn your site. "Yes, I 
>> want you to hack me" Don't use it. The reason for WordPress using 
>> $_POST for form data and $_GET for url data is for the same reason 
>> register globals is terrible security risk. $_REQUEST is similar to 
>> using $_REQUEST and you don't know if it is coming from the Server 
>> (HTTP), form, or url.
>>
>> You must know since you created the plugin, so find out and use the 
>> correct super global. If you kept this and released it GPL, the first 
>> thing I will do is convert it to the right super global.
> What on earth? So long as you handle the data appropriately it doesn't 
> matter where it comes from. CSRF attacks, for example, are possible 
> with both GET and POST; so are SQL injections; so are XSS attacks, etc.
>
> Only using $_GET or only using $_POST will not make your scripts even 
> slightly more secure.
>
Yes, you still need to sanitize or you'll still be hackable. However, 
with $_GET and $_POST, you at least know where the information is coming 
from, which is safer than relying on $_REQUEST is coming from a form 
like you expect. Besides that, I would say it doesn't inform upon the 
intention of the developer of where he is seeking the input. Finally, it 
is bad coding practice because of the above.

Jacob Santos


More information about the wp-hackers mailing list