News Feed

News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Stefan Esser's Blog:
PHP 5.3 and Delayed Cross Site Request Forgeries/Hijacking
October 01, 2008 @ 07:53:22

In this new post to his blog Stefan Esser looks at cross-site request forgeries and how they can be prevented in PHP 5.3 by two things - the request_order directive in your php.ini and by not using $_REQUEST anymore.

Although PHP 5.3 is still in alpha stage and certain features like the PHAR extension or the whole namespace support are still topics of endless discussions it already contains smaller changes that could improve the security of PHP applications a lot. [...] With request_order it is now possible to control in what order $_REQUEST is created and what variable sources are taken into account. This finally allows removing cookie data from $_REQUEST without removing them from $_COOKIE also.

He explains why the use of $_REQUEST can lead to such problems (and security holes) and notes that its use makes overriding an application's GET or POST values as simple as adding a cookie. There's even a method for creating a Denial of Service attack against a site using $_REQUEST like this. He points to an example similar to this that happened with phpMyAdmin a while back.

His recommendation?

Once PHP 5.3 is out it is recommended for hosters to set request_order to "GP" on all the servers running arbitrary PHP applications to protect applications [and] application developers on the other hand should finally move away from using $_REQUEST for user input.
0 comments voice your opinion now!
php5 crosssiterequest forgery hijack request get requestorder

blog comments powered by Disqus

Similar Posts

Mike Lively's Blog: Late Static Binding (LSB) forward_static_call()

Matthew Weir O'Phinney's Blog: PHP 5's Reflection API

DevShed: Generating Outputs from MySQL with Static Members and Methods in PHP 5

Ilia Alshanetsky's Blog: PHP 5.2.0RC5 is out!

Joshua Eichorn's Blog: Cool Things in PHP5 azPHP Slides

Community Events

Don't see your event here?
Let us know!

laravel opinion example voicesoftheelephpant version security interview php7 language introduction community framework podcast list library series release api extension laravel5

All content copyright, 2015 :: - Powered by the Solar PHP Framework