On Fri, August 24, 2007 3:20 am, Goltsios Theodore wrote: >> Please do not encourage the use of $_REQUEST. >> >> You might as well just tell people to enable register_globals again. This is *SO* not correct at all! $_REQUEST[] is merely array_merge($_GET, $_POST, $_COOKIE); It is *NOT* in any way, shape, or form, polluting the global namespace of all your variables, which is what register_globals is. Don't use http://php.net/extract on $_REQUEST would be the same as enabling register_globals again. There is no real difference from a SECURITY stand-point between GET or POST or COOKIE. They are all equally trivial to inject any data the user chooses. Using $_GET versus $_POST (versus $_COOKIE) is an issue of code clarity -- You know that the data is expected to come from the URL or the POST data. It is not, repeat not, an issue of Security. There could easily be a script written which is expected to respond to GET or POST data in the same way, particularly a simplistic web-service that doesn't really care if the web "Designers" prefer to have buttons or links or CSS links that look like buttons or CSS buttons that look like links or rabid squirrels that send the GET and/or POST data to make the HTTP request. So the blanket statement to never use $_REQUEST is probably ill-advised. Use $_POST when you expect the data to always be in POST data. Use $_GET when you expect the data to alwasy be in GET data. If you actually want to accept HTTP requests of either kind for flexibility to an external user, by all means use REQUEST. You must, of course, also factor in that you should never ever use POST for a non-idempotent operation. Or, in layman's terms, if the script *changes* data, use POST and not GET. That is a totally separate reason to choose POST over GET or vice versa. ymmv naiaa ianal -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
