Re: Looking for a reasonable explanation as to why $_REQUEST exists

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jul 7, 2008 at 3:28 PM, mike <mike503@xxxxxxxxx> wrote:
> On 7/7/08, Eric Butera <eric.butera@xxxxxxxxx> wrote:
>
>> If your app is
>> written correctly it doesn't matter what is thrown at it, it should
>> always work.  Even if a variable gets overridden it should still be
>> forced to play with the rules of the app and work like a valid request
>> does.
>
> That is not an excuse to trust GET and POST for the same variable.
>
> 1) Filter your input
> 2) Sanity check your input/fill in your own default value if one is requied
>
>> I think that having a set of if statements that say something like the
>> following is silly.
>> if (isset($_POST['id'])) {
>> } else if (isset($_GET['id'])) {
>> }
>
> Oh it definately is silly. I'm saying that's a workaround if people
> -had- to mix their POST/GET data.
>
> I've never had to do it and I've coded a variety of apps, including
> plenty of various pagination methods, multi-page forms, etc, etc.
>
> For example:
>
> # 1 - filter it, and typecast it to int
> $page = $page = intval(filter_input(INPUT_GET, 'page',
> FILTER_SANITIZE_NUMBER_INT));
>
> # 2 - sanity check. a page number cannot be negative and it cannot be
> greater than the number of pages (which can be determined by a db
> query, or hardcoded somewhere else)
> if($page < 0 || $page > $maxpages) {
>   $page = 1;
> }
>
> In the end $page should be trusted as it won't have any foreign data -
> it has been intval()'ed and there is a default value put in - $page =
> 1, and there is a bounds check to ensure it's valid info.
>
> For a better user experience, instead of setting $page = 1, I would
> probably use a header("Location: foo.php?page=1"); exit(); so the
> user's URL in the address bar properly matches up with the page. But
> you get the idea.
>

You asked for an explanation.  I was just stating that is how I've
seen some people write apps.  I've also stated that isn't how I write
them either.  I use something along these lines:

$page = $request->getFiltered(new namespace_Validate_Int(min, max),
'page', namespace_Request::GET);

:)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux