On Sat, 2009-08-29 at 01:09 +0800, Eric wrote: > ----- Original Message ----- > From: "Ashley Sheridan" <ash@xxxxxxxxxxxxxxxxxxxx> > To: "Ben Dunlap" <bdunlap@xxxxxxxxxxxxxxxxxx> > Cc: <php-general@xxxxxxxxxxxxx> > Sent: Saturday, August 29, 2009 12:51 AM > Subject: Re: Re: Best way to test for form submission? > > > > On Fri, 2009-08-28 at 09:33 -0700, Ben Dunlap wrote: > >> I was surprised when no one recommended this: > >> > >> if ($_SERVER['REQUEST_METHOD'] == 'POST') > >> > >> So now I'm wondering if there's a pitfall to this method that I'm not > >> aware of... > >> > >> Thanks, > >> > >> Ben > >> > > > > Well, as far as I'm aware $_SERVER isn't reliable from server to server. > > That said, I've never had a problem using it. > > > > I probably wouldn't use this however, as it does only check for the > > existence of POST data. Sometimes I'll trigger the same PHP script from > > both POST and GET. For example, a search form would use POST in the > > initial form, and then if it was paginated, the links forwards and > > backwards through the results would be GET (like Google) I usually just > > tend to use the $_REQUEST array instead of $_POST or $_GET. You get the > > benefit of being able to work with both arrays (as well as $_SESSION and > > $_COOKIE) without any drawbacks. > > > If only use the $_REQUEST global array. It may or may not be take a risk of > CSRF. Take a look this linke http://www.cgisecurity.com/csrf-faq.html > > I read it a few days before. > > Eric > > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > It's no less safe than just using $_POST (which the article itself says). The sensible thing to do is mistrust ANY data coming from the client machine, and always validate it before using it. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
