Martin Marques wrote: > Yesterday when reading some doc on PHP I noticed the $_REQUEST > predefined array, which looked like a solution to having to check in GET > and POST data (I'm not sure if it will really have an impact on my > program yet). Yes, request is simply a merge of these arrays. It can be very useful and tends to be rather under used in PHP examples. > > The thing is, I also saw this description: > > Variables provided to the script via the GET, POST, and COOKIE input > mechanisms, and which therefore cannot be trusted. > > Now, why shouldn't it be trusted? > No user data should be trusted. It's possible for the user to provide absolutely anything in these variables and unless you check it, you have no idea what you have actually received. This covers everything provided from the user, get, post and cookie variables, $_REQUEST as an amalgamation of these three should be equally untrusted. David -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
