API, $_Request and security

For discussion of the Poker Mavens server module and other administration topics
Post Reply
social
Posts: 211
Joined: Fri Nov 20, 2009 12:23 am

API, $_Request and security

Post by social »

An amateur coder who was looking at the API examples told me that using $_Request was an older coding method,
and he did not think it was safe.

He pointed me to this page, as if it somehow confirmed his statement:
http://php.net/manual/en/reserved.variables.request.php

The only thing I could see there was that is says that $_Request could be modified by remote users and "cannot be trusted".

I'd appreciate some help in placing that into a proper context and understanding whether or not it is an issue, or how much it is a big deal...

Is this going to be an issue if I let other websites interact with my server and update their player's stats and leaderboards etc?
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: API, $_Request and security

Post by Kent Briggs »

social wrote:An amateur coder who was looking at the API examples told me that using $_Request was an older coding method,
and he did not think it was safe.
$_REQUEST is used when you don't care if the parameters were passed by GET or POST. If there's a newer method for that, I'm not aware of it. If you want to restrict fetching parameters to GET, then use $_GET. To restrict to POST, use $_POST.
The only thing I could see there was that is says that $_Request could be modified by remote users and "cannot be trusted".
I don't know what they mean by that. Every API call requires the API password so no one can modify anything without knowing that.
Post Reply