Is $_SERVER[REQUEST_METHOD] manipulable?
Question
In a PHP project I'm developing I have a couple of requests that can be either POST or GET. Currently, I'm using the $_SERVER[REQUEST_METHOD] value to determine, which request array to use. I know that $_REQUEST values can be manipulated with cookies, is the $_SERVER superglobal vulnerable to attacks?
4 answers
solution1
7 2008-12-07 01:44:12
The $_SERVER superglobal is filled by PHP with data it gets from the web server.
So unless the attacker replaces the web server with his own, or manages an extremely lucky buffer overflow against the server, you are fine.
solution2
0
REQUEST_METHOD不仅限于POST和GET - 您还需要处理HEAD(IIRC PHP会在看到该标题时在输出的第一个符号处终止脚本)和(在不太可能的设置上)您可能会获得一些WebDAV。
solution3
0 2008-12-07 02:23:56
In what sense can $_REQUEST be "manipulated" with cookies? Cookies do override values coming from POST and GET, but all three values are directly controlled by the client making the request.
If you want GET and POST to have priority over cookies, you can set the variable request_order in your php.ini:
request_order = CGP
(which gives post' priority over get' over cookies). You can even leave out C altogether.
solution4
0 2010-12-11 08:33:02
Old thread but since the most voted answer is wrong and security is an important concern, here we go : Not only REQUEST_METHOD but also other values in $_SERVER can be tainted.
See for example http://www.php.net/manual/en/reserved.variables.server.php#95672 and http://shiflett.org/blog/2006/mar/server-name-versus-http-host
So don't trust them blindly.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.