Reputation: 2322
is $_REQUEST dangerous even if you clean it?
I know $_REQUEST is bad because it contains cookie data as well.
Is it still bad to use $_REQUEST if we use some sort of clean function to it? Would someone be able to elaborate?
Upvotes: 0
Views: 360
Answers (1)
Reputation: 14681
$_REQUEST is not specifically dangerous. Any user input can be an attack and should be treated as such. For any input medium $_GET, $_POST, $_COOKIE, use an appropriate method intval(), preg_match(), ... to verify that the value you receive is something you expect.
For example if you expect a file name and intend to send it to the user, make sure it does not contain .. or / so the user won't be able to access your filesystem.
If you want to insert a user generated value in a database, make sure you are escaping your values, using the old mysql_real_escape_string, or better PDO or mysqli prepared statements.
Upvotes: 3
Related Questions
- $_REQUEST in PHP
- PHP - are $_GET, $_POST, $_REQUEST, $_COOKIE and other built in request variables safe to show visitors?
- Does PHP's $_REQUEST method have a security problem?
- Could $_REQUEST variables lead to code execution?
- When there is nothing to be $_REQUEST
- When is it safe to use PHP Get requests
- Security risk from using $_SERVER['REQUEST_URI'] in forms
- Is this a good method of ensuring $_REQUEST data is safe?
- is $_REQUEST unsafe to use instead of $_POST or $_GET?
- How evil is $_REQUEST and what are some acceptable Band-Aid countermeasures?