Re: Re: [PHP-DB] Re: [PHP] Passing variables to a PHP script on clicking a hyperlink

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/26/07, Richard Lynch <ceo@xxxxxxxxx> wrote:

> This is *SO* not correct at all!
>
> $_REQUEST[] is merely array_merge($_GET, $_POST, $_COOKIE);

Yes and it mimics being lazy - allowing overriding values from $_POST
vs. $_GET vs. $_COOKIE depending on what the programmer wants to
"trust"

It encourages poor practices. There is no reason to not name the
proper source of data - i.e. "i want it from POST not GET"

> It is *NOT* in any way, shape, or form, polluting the global namespace
> of all your variables, which is what register_globals is.

That is why I said it was *one* reason register_globals was disabled -
global namespace was probably the biggest reason, but also variable
overriding and sloppyness allowing for exploits was probably up there
too.

> There could easily be a script written which is expected to respond to
> GET or POST data in the same way, particularly a simplistic
> web-service that doesn't really care if the web "Designers" prefer to
> have buttons or links or CSS links that look like buttons or CSS
> buttons that look like links or rabid squirrels that send the GET
> and/or POST data to make the HTTP request.

Yes, there could. But part of that would rely on a *very* motivated
end-user (or we'll call them "hacker") - they would probably find a
way in or do what they want either way.

There's no reason to make it easier just because "well they can hack
something up to do that anyway" - that's a Microsoft approach to
security. Whatever happened to people at least trying to discourage
abuse or issues.

I have never used $_REQUEST and my applications don't seem to have any
issues. Obviously someone could have tried to switch POST/GET on me,
but I still ensure proper bounds checking/sanity checking/type
checking/etc. But I would not allow someone to issue a GET variable to
override a cookie value without having to make the extra effort (and
furthermore understand how the variables work on the server side to
make it actually work how they want.)

> Use $_POST when you expect the data to always be in POST data.

correct.

> Use $_GET when you expect the data to alwasy be in GET data.

correct.

> If you actually want to accept HTTP requests of either kind for
> flexibility to an external user, by all means use REQUEST.

In my opinion a properly coded web application shouldn't be lazy and
should know the source of data. So I consider this incorrect.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux