checking $_REQUEST without the double impact value

**ampt** · 20.07.2010 16:15

Hey all,

Does anyone know if $_SERVER['REQUEST_METHOD'] can be trusted?

If it can be trusted, would that mean that something like the following is sane?

Code:

if(!in_array($_SERVER['REQUEST_METHOD'], array('GET', 'POST'))) {
    // check $_REQUEST
    $request = array(
        'REQUEST' => $_REQUEST,
        'COOKIE' => $_COOKIE
    );
} else {
	$request = array(
        'GET' => $_GET,
        'POST' => $_POST,
        'COOKIE' => $_COOKIE
    );
}

My reasoning behind this is that I only want an attack reported once so the impact value is consistant.

Is there a problem with this? Or should I be checking everything (as in REQUEST, GET, POST, COOKIE) on every request?

thanks for your time,

ampt

**.mario** · 05.08.2010 20:37

I think it should depend on your variables_order setting - and on the application especially regarding HPP. You should be fine with _REQUEST but there might be edge cases where an attacker can bypass the detection. Are you trusted with HPP (HTTP Parameter Pollution)?

**ampt** · 31.08.2010 11:20

Yes you're right, I've come to the conclusion that its better to check everything just to be sure.

thanks mario

**xero.nu** · 31.05.2012 20:10

array_merge?

Thema: checking $_REQUEST without the double impact value

Themen-Optionen

Thema durchsuchen

Anzeige

Lesezeichen

Lesezeichen

Berechtigungen