Eric Butera wrote:
On Mon, Jul 7, 2008 at 3:10 AM, mike <mike503@xxxxxxxxx> wrote:I have never had a use for this feature. To me it introduces another register_globals style atttack vector. I see no need why people need to combine post/get/etc variables into the same superglobal. I actually run unset($_REQUEST) on it at the top of my library to discourage its use. For third party products which use it I tell people to combine it themselves by using array_merge() - like $_REQUEST = array_merge($_POST, $_GET) etc... Anyway can someone here please give me a good reasoning why it should exist? It isn't as easily abused as register_globals but when people have a session variable they want to access and use $_REQUEST for it I could easily override it by using a GET param on the url (depending on how the order of globals get processed) Simply put, I see no reason why people would not want to clearly define where they are getting their input from. If for some reason there is some need to lazily code something I would still say to do something like: if(isset($_GET['foo'])) { $foo = $_GET['foo']; } elseif(isset($_POST['foo'])) { $foo = $_POST['foo']; } else { $foo = 'default value'; } ... or just do the array merge. But please someone maybe can justify this to me... I've been using superglobals before I really understood how important they were and then one day I see they introduced $_REQUEST and thought .. okay that seems stupid. I finally am deciding to see if anyone can give me a reason as to why this is useful and not just a lazy coding practice that can lead to security risks. You don't really know if your data is coming from GET, from POST, a SESSION variable, etc... I'd love to see a good discussion going on this. I might have overlooked something important. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.phpLaziness/convenience. I always get my data from the exact source I want. If someone chooses to use REQUEST it shouldn't break their application. You say it is a security risk, but not really. As long as everything is filtered/escaped properly it should be fine because you force the data to play by your rules. I don't trust any piece of data that exists on my site whether it comes from request data, the database, or filesystem. So whether id comes from get or post doesn't matter because I always require it to be an int so it really wouldn't matter the origin.
When you use register_globals it extracts the vars from get, post, cookie and session, or used to. But, I don't think session vars are in $_REQUEST.
-Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
