Re: Re: [PHP-DB] Re: [PHP] Passing variables to a PHP script on clicking a hyperlink

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, August 24, 2007 3:20 am, Goltsios Theodore wrote:

>> Please do not encourage the use of $_REQUEST.
>>
>> You might as well just tell people to enable register_globals again.

This is *SO* not correct at all!

$_REQUEST[] is merely array_merge($_GET, $_POST, $_COOKIE);

It is *NOT* in any way, shape, or form, polluting the global namespace
of all your variables, which is what register_globals is.

Don't use http://php.net/extract on $_REQUEST would be the same as
enabling register_globals again.

There is no real difference from a SECURITY stand-point between GET or
POST or COOKIE.  They are all equally trivial to inject any data the
user chooses.

Using $_GET versus $_POST (versus $_COOKIE) is an issue of code
clarity -- You know that the data is expected to come from the URL or
the POST data.  It is not, repeat not, an issue of Security.

There could easily be a script written which is expected to respond to
GET or POST data in the same way, particularly a simplistic
web-service that doesn't really care if the web "Designers" prefer to
have buttons or links or CSS links that look like buttons or CSS
buttons that look like links or rabid squirrels that send the GET
and/or POST data to make the HTTP request.

So the blanket statement to never use $_REQUEST is probably ill-advised.

Use $_POST when you expect the data to always be in POST data.

Use $_GET when you expect the data to alwasy be in GET data.

If you actually want to accept HTTP requests of either kind for
flexibility to an external user, by all means use REQUEST.

You must, of course, also factor in that you should never ever use
POST for a non-idempotent operation.  Or, in layman's terms, if the
script *changes* data, use POST and not GET.  That is a totally
separate reason to choose POST over GET or vice versa.

ymmv
naiaa
ianal

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux