[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET in mod_rewrite

Stephane Daury wordpress at tekartist.org
Thu Aug 30 04:01:29 GMT 2007

On Aug 29, 2007, at 5:32, Jeremy Visser wrote:

> jacobsantos at branson.com wrote:
>> 1. Using $_REQUEST is like asking hackers to pwn your site. "Yes,  
>> I want
>> you to hack me" Don't use it. The reason for WordPress using  
>> $_POST for
>> form data and $_GET for url data is for the same reason register  
>> globals
>> is terrible security risk. $_REQUEST is similar to using $_REQUEST  
>> and
>> you don't know if it is coming from the Server (HTTP), form, or url.
> Huh ?!
> It is possible to inject malicious data in GET, POST, and COOKIEs, so,
> say, only using $_POST will mean that rather than a cracker being able
> to use GET to run the exploit, he will have to spend about 30 seconds
> more of his time (remember: crackers have a lot of patience)  
> creating a
> simple HTML form that POSTs instead. Not any more secure.

I think Jacob's emphasis was on the fact that it's bad to lose track  
of where your data is coming from as a coder.

By using $_REQUEST, you give an attacker a chance to overwrite the  
content you expected by passing it twice through different sources.
That's one of the reasons why $_REQUEST does not includew the content  
of $_FILES since PHP 4.3.0.
See http://www.php.net/manual/en/ini.core.php#ini.variables-order


More information about the wp-hackers mailing list