News Feed

News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Stefan Esser's Blog:
PHP 5.3 and Delayed Cross Site Request Forgeries/Hijacking
October 01, 2008 @ 07:53:22

In this new post to his blog Stefan Esser looks at cross-site request forgeries and how they can be prevented in PHP 5.3 by two things - the request_order directive in your php.ini and by not using $_REQUEST anymore.

Although PHP 5.3 is still in alpha stage and certain features like the PHAR extension or the whole namespace support are still topics of endless discussions it already contains smaller changes that could improve the security of PHP applications a lot. [...] With request_order it is now possible to control in what order $_REQUEST is created and what variable sources are taken into account. This finally allows removing cookie data from $_REQUEST without removing them from $_COOKIE also.

He explains why the use of $_REQUEST can lead to such problems (and security holes) and notes that its use makes overriding an application's GET or POST values as simple as adding a cookie. There's even a method for creating a Denial of Service attack against a site using $_REQUEST like this. He points to an example similar to this that happened with phpMyAdmin a while back.

His recommendation?

Once PHP 5.3 is out it is recommended for hosters to set request_order to "GP" on all the servers running arbitrary PHP applications to protect applications [and] application developers on the other hand should finally move away from using $_REQUEST for user input.
0 comments voice your opinion now!
php5 crosssiterequest forgery hijack request get requestorder

blog comments powered by Disqus

Similar Posts

Community News: PHP 5.3 RC2 Released

The PHP Grind: Get real about PHP4 vs. PHP5!

Helgi's Blog: PEAR installer updating its PHP deps

Stuard Herbert's Blog: When will you be moving to PHP 5.3?

Lukas Smith's Blog: Making PHP 5.3 Happen

Community Events

Don't see your event here?
Let us know!

composer list community application podcast laravel part2 series yii2 api php7 example project interview introduction opinion symfony framework programming language

All content copyright, 2015 :: - Powered by the Solar PHP Framework