[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET
jeremy.visser at gmail.com
Wed Aug 29 09:32:40 GMT 2007
jacobsantos at branson.com wrote:
> 1. Using $_REQUEST is like asking hackers to pwn your site. "Yes, I want
> you to hack me" Don't use it. The reason for WordPress using $_POST for
> form data and $_GET for url data is for the same reason register globals
> is terrible security risk. $_REQUEST is similar to using $_REQUEST and
> you don't know if it is coming from the Server (HTTP), form, or url.
It is possible to inject malicious data in GET, POST, and COOKIEs, so,
say, only using $_POST will mean that rather than a cracker being able
to use GET to run the exploit, he will have to spend about 30 seconds
more of his time (remember: crackers have a lot of patience) creating a
simple HTML form that POSTs instead. Not any more secure.
More information about the wp-hackers