This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "HTTP Request Handling Library"
Abhishek Das (talk | contribs) (Created page with "<h4>Introduction</h4> HTTP Request is user input. Many developers forget this fact and tend to rely on it as a trustworthy source and configure many aspects of their applicat...") |
Abhishek Das (talk | contribs) |
||
Line 1: | Line 1: | ||
<h4>Introduction</h4> | <h4>Introduction</h4> | ||
− | HTTP Request is user input. Many developers forget this fact and tend to rely on it as a trustworthy source and configure many aspects of their applications based on values of $_SERVER (most of which are set using HTTP request). While not all values under $_SERVER are unreliable, some of the values such as | + | HTTP Request is user input. Many developers forget this fact and tend to rely on it as a trustworthy source and configure many aspects of their applications based on values of <code>$_SERVER</code> (most of which are set using HTTP request). While not all values under <code>$_SERVER</code> are unreliable, some of the values such as 'QUERY_STRING', 'HTTP_REFERRER' etc are entirely arbitrary information sent by the client. This library provides wrappers which securely process these data and hand them to user, and replaces the <code>$_SERVER</code> values that are insecure with objects that throw exceptions when cast to string (e.g. in HTTP_HOST), so that developers can no longer directly access them. |
Latest revision as of 16:36, 28 July 2013
Introduction
HTTP Request is user input. Many developers forget this fact and tend to rely on it as a trustworthy source and configure many aspects of their applications based on values of $_SERVER
(most of which are set using HTTP request). While not all values under $_SERVER
are unreliable, some of the values such as 'QUERY_STRING', 'HTTP_REFERRER' etc are entirely arbitrary information sent by the client. This library provides wrappers which securely process these data and hand them to user, and replaces the $_SERVER
values that are insecure with objects that throw exceptions when cast to string (e.g. in HTTP_HOST), so that developers can no longer directly access them.