API, $_Request and security

For discussion of the Poker Mavens server module and other administration topics

API, $_Request and security

Postby social » Fri Jan 15, 2010 10:47 am

An amateur coder who was looking at the API examples told me that using $_Request was an older coding method,
and he did not think it was safe.

He pointed me to this page, as if it somehow confirmed his statement:
http://php.net/manual/en/reserved.variables.request.php

The only thing I could see there was that is says that $_Request could be modified by remote users and "cannot be trusted".

I'd appreciate some help in placing that into a proper context and understanding whether or not it is an issue, or how much it is a big deal...

Is this going to be an issue if I let other websites interact with my server and update their player's stats and leaderboards etc?
social
 
Posts: 202
Joined: Fri Nov 20, 2009 12:23 am

Re: API, $_Request and security

Postby Kent Briggs » Fri Jan 15, 2010 11:27 am

social wrote:An amateur coder who was looking at the API examples told me that using $_Request was an older coding method,
and he did not think it was safe.


$_REQUEST is used when you don't care if the parameters were passed by GET or POST. If there's a newer method for that, I'm not aware of it. If you want to restrict fetching parameters to GET, then use $_GET. To restrict to POST, use $_POST.

The only thing I could see there was that is says that $_Request could be modified by remote users and "cannot be trusted".


I don't know what they mean by that. Every API call requires the API password so no one can modify anything without knowing that.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3912
Joined: Wed Mar 19, 2008 8:47 pm


Return to Site Administration

Who is online

Users browsing this forum: Baidu [Spider], Kent Briggs and 3 guests