In general, if it relies on user-submitted (via GET, POST, etc) data, if you don't sanitize it before use, you might be vulnerable in some way.
Also, according to php.net, $_REQUEST doesn't necessarily track updates that may be done within the program to $_GET or $_POST data. If I were programming it, I wouldn't rely on $_REQUEST, but construct my own internal array from GET, POST (or both, with a defined preference) while sanitizing/validating the data as it's included into the internal structure.
Alternately, if you have a list of defined app names, you can create a fixed array of the names, then try to match your incoming user data with in_array() or array_search(). |
