+ Antworten
Ergebnis 1 bis 4 von 4

Thema: checking $_REQUEST without the double impact value

  1. #1
    Neuer Benutzer
    Registriert seit
    20.07.2010
    Beiträge
    11
    Hey all,

    Does anyone know if $_SERVER['REQUEST_METHOD'] can be trusted?

    If it can be trusted, would that mean that something like the following is sane?

    Code:
    if(!in_array($_SERVER['REQUEST_METHOD'], array('GET', 'POST'))) {
        // check $_REQUEST
        $request = array(
            'REQUEST' => $_REQUEST,
            'COOKIE' => $_COOKIE
        );
    } else {
    	$request = array(
            'GET' => $_GET,
            'POST' => $_POST,
            'COOKIE' => $_COOKIE
        );
    }
    My reasoning behind this is that I only want an attack reported once so the impact value is consistant.

    Is there a problem with this? Or should I be checking everything (as in REQUEST, GET, POST, COOKIE) on every request?

    thanks for your time,

    ampt

  2. #2
    Moderator Avatar von .mario
    Registriert seit
    30.05.2007
    Beiträge
    924
    I think it should depend on your variables_order setting - and on the application especially regarding HPP. You should be fine with _REQUEST but there might be edge cases where an attacker can bypass the detection. Are you trusted with HPP (HTTP Parameter Pollution)?

  3. #3
    Neuer Benutzer
    Registriert seit
    20.07.2010
    Beiträge
    11
    Yes you're right, I've come to the conclusion that its better to check everything just to be sure.

    thanks mario

  4. #4
    Neuer Benutzer
    Registriert seit
    30.05.2012
    Beiträge
    6
    array_merge?

+ Antworten

Lesezeichen

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein