> Suppose you have a form that posts set hidden values. A malicious user > could modify the URI to change those values. A malicious user could just as easily modify the http header that sets the POST, or the cookie that sets the COOKIE, or whatever. In other words, if it comes from the user, it could have been tampered with. > Which raises the question, in the scenario above, you may have an identical > 'post' value and 'get' value submitted to the same page. Which takes > precidence in $_REQUEST? That is configurable in php.ini (I think). By default, COOKIE overwrites POST overwrites GET. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
