[[Request Functions / API]]
Recent changes RSS feed
 
You are here: Web Application Component Toolkit » security » functions » Request Functions / API
Table of Contents

Request Functions / API

HTTP Request

See PHP HTTP Request Handling Summary.

Superglobals

$_GET

Variables via the URL (HTTP GET)

$_POST

Variables from a form with method=”POST” (HTTP POST)

$_COOKIE

Variables extracted from the cookie HTTP header, sent by the browser

$_REQUEST

$_REQUEST is $_GET, $_POST and $_COOKIE combined. It can be a source of logic errors as if a variable exists in both $_GET and $_POST, the value will be taken from the input data that was parsed later by PHP, as controlled by the PHP ini setting variables-order. The default setting means a $_POST variable will override a $_GET variable of the same name.

$_SERVER

The $_SERVER superglobal largely corresponds to variables used in the Common Gateway Interface - see Data Input to the CGI Script.

Watch out for $_SERVER keys beginning with HTTP_X_ - these are passed straight-through from the client request so easy to spoof. It’s common to use; 

$_SERVER['HTTP_X_FORWARDED_FOR']

As a fallback for; 

$_SERVER['REMOTE_ADDR']

for when a proxy server is between the client and server. But; 

$_SERVER['HTTP_X_FORWARDED_FOR']

can be easily spoofed should not be relied upon - see phpBB IP Spoofing Issue for an example of the potential issues and DetectingClientAddress

$_FILES

This array contains files uploaded from a form. This is a prime location for security holes. Use PEAR::HTTP_Upload to upload files - see Pear File Uploader for a tutorial.

Exploits

Global Variable Attack Parameter Manipulation Attack

This function list is probably incomplete. See A Catalog of Security Sensitive PHP Functions and Web Application Security

 
security/functions/request_functions.txt · Last modified: 2006/12/09 17:15
 
Hosting for this site donated by Procata PHP Development