Not signed in (Sign In)

  • Subscribe

    • Feed

PHPIDS usage: checking $_REQUEST without the double impact value

Bottom of Page

1 to 3 of 3

  1.  
    • CommentAuthorampt
    • CommentTimeJul 20th 2010
     
    Hey all,

    Does anyone know if $_SERVER['REQUEST_METHOD'] can be trusted?

    If it can be trusted, would that mean that something like the following is sane?


    if(!in_array($_SERVER['REQUEST_METHOD'], array('GET', 'POST'))) {
    // check $_REQUEST
    $request = array(
    'REQUEST' => $_REQUEST,
    'COOKIE' => $_COOKIE
    );
    } else {
    $request = array(
    'GET' => $_GET,
    'POST' => $_POST,
    'COOKIE' => $_COOKIE
    );
    }


    My reasoning behind this is that I only want an attack reported once so the impact value is consistant.

    Is there a problem with this? Or should I be checking everything (as in REQUEST, GET, POST, COOKIE) on every request?

    thanks for your time,

    ampt
    •  
      CommentAuthor.mario
    • CommentTimeAug 5th 2010 edited
     
    I think it should depend on your variables_order setting - and on the application especially regarding HPP. You should be fine with _REQUEST but there might be edge cases where an attacker can bypass the detection. Are you trusted with HPP (HTTP Parameter Pollution)?
    • CommentAuthorampt
    • CommentTimeAug 31st 2010
     
    Yes you're right, I've come to the conclusion that its better to check everything just to be sure.

    thanks mario

1 to 3 of 3

  1.