On Mon, 2010-02-22 at 23:49 +0100, John Black wrote: > On 02/22/2010 11:42 PM, Michael Shadle wrote: > > The difference here is you can at least have some control over the data > > and expect it in a certain fashion. Also the behavior of cookies vs. get > > vs. post are different (cookies have length and expiration limits, get > > has length limits, post has server confgured limits) > > The cookie and post/get part is all mixed up now :) > > I use $_COOKIE when I want cookie information but I know that the data > is not to be trusted and is easily fabricated. > > When reading get or post I just use $_REQUEST nowadays because I don't > have to care how the submitting form is written. This makes my form > handling data more portable. > > -- > John > You may say I'm a dreamer, but I'm not the only one, > I hope some day you'll join us, And the world will live as one. > [John Lennon] > As many people have mentioned already, there's absolutely no security risk of using $_REQUEST over $_POST or $_GET. I generally use $_REQUEST unless I am specifically coding something that needs me to send data over both post and get at the same time. The thing is, just make sure you sanitise all the data that comes from the browser. That includes cookie values, post data, etc. Proper sanitisation is crucial and necessary, and no amount of obscurity about how you are getting your data will help. Thanks, Ash http://www.ashleysheridan.co.uk
