On 7/7/08, Eric Butera <eric.butera@xxxxxxxxx> wrote: > Laziness/convenience. > > I always get my data from the exact source I want. If someone chooses > to use REQUEST it shouldn't break their application. You say it is a > security risk, but not really. As long as everything is > filtered/escaped properly it should be fine because you force the data > to play by your rules. I'm not talking about escaping/filtering. I'm talking about variable overriding. In the past, it was $_GET['foo'] $foo register_globals fixed that. however, if your app is relying on $_SESSION['username'] or $_COOKIE['username'] or something like that, depending on the variables order, it can be overridden. I don't see why if you -know- you need $_COOKIE['username'] someone would be lazy and use $_REQUEST['username'] It winds up allowing the end user to override information themselves (again, depending on the variables order) which depending on that and how poor the code is (which to me if you're relying on $_REQUEST you've probably got some bugs and exploitable holes in there) creates a security risk. and session vars are in $_REQUEST, I tried it to sanity check myself before posting this :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php