Dan Baker wrote:
Why is using $_REQUEST a security issue? You know every value in the entire array came from the end-user, and needs to be validated somehow. If your code is written so the end-user can send this data to you via a POST/GET/COOKIE, why not use $_REQUEST?
On the one hand, you can't trust anything that came from the client, but on the other if you're expecting a variable to come from a cookie and instead it comes from a get you know something weird is going on, but using $_REQUEST you'll be oblivious. You ought to know where your variable values are coming from, $_REQUEST hides this.
In older versions of PHP4 this is even more of an issue since $_FILE information was also included in $_REQUEST. If someone uploades a file while including conflicting information from another source (cookie, post, get) this could lead to all sorts of problems.
And the lazy guy answer... typing $_POST and $_GET is faster than typing $_REQUEST ;-).
- Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
