i agree, no argument there. Data coming from user should always be considered malicious. I'm just pointing out one reason why not use _REQUEST. but there are intance _REQUEST variable can be useful (just be very careful). Regarding _GET and _POST using same name, there are instance this can be useful, not at the same time in one page but rather interchangely. example in page submit you get data from $_GET['sameName'] and on the next page submit you get it from $_POST['sameName'] this is for dynamic purpose. There are situation, that for example data on _GET needed to be passed but you need to pass your page using POST.(like i said be careful and not over use because of lazyness) (i hope i'm being clear) On 2/14/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
On Mon, February 12, 2007 8:41 pm, J R wrote: > it is not adviced to do filtering on _REQUEST getting data in general > from > it actually. It is much better to specify where your data is coming > from ( > e.g. _POST or _GET). This is because variable _REQUST contains all the > data > from the cookies, get and post. and if ever you have the same variable > name > on two or more of those variable you might get the wrong one. > > and as we all know there is a security risk with cookies. users can > easily > replace you data for example in post using cookies. Or they could replace all the POST data using POST... A Bad Guy would have to be incredibly naive, unskilled, and downright dumb to be caught by your script differentiating between GET/POST/COOKIE as the source of the data. Spoofing a POST is a matter of saving the HTML locally and filling in whatever you want for extra INPUT and the values you like. If you intentionally have 2 (or more) inputs to your script of the same name, one each from GET/POST/COOKIE, I'd have to say that's a pretty confusing design from the get-go. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?
-- GMail Rocks!!!
