On 8/26/07, Richard Lynch <ceo@xxxxxxxxx> wrote: > This is *SO* not correct at all! > > $_REQUEST[] is merely array_merge($_GET, $_POST, $_COOKIE); Yes and it mimics being lazy - allowing overriding values from $_POST vs. $_GET vs. $_COOKIE depending on what the programmer wants to "trust" It encourages poor practices. There is no reason to not name the proper source of data - i.e. "i want it from POST not GET" > It is *NOT* in any way, shape, or form, polluting the global namespace > of all your variables, which is what register_globals is. That is why I said it was *one* reason register_globals was disabled - global namespace was probably the biggest reason, but also variable overriding and sloppyness allowing for exploits was probably up there too. > There could easily be a script written which is expected to respond to > GET or POST data in the same way, particularly a simplistic > web-service that doesn't really care if the web "Designers" prefer to > have buttons or links or CSS links that look like buttons or CSS > buttons that look like links or rabid squirrels that send the GET > and/or POST data to make the HTTP request. Yes, there could. But part of that would rely on a *very* motivated end-user (or we'll call them "hacker") - they would probably find a way in or do what they want either way. There's no reason to make it easier just because "well they can hack something up to do that anyway" - that's a Microsoft approach to security. Whatever happened to people at least trying to discourage abuse or issues. I have never used $_REQUEST and my applications don't seem to have any issues. Obviously someone could have tried to switch POST/GET on me, but I still ensure proper bounds checking/sanity checking/type checking/etc. But I would not allow someone to issue a GET variable to override a cookie value without having to make the extra effort (and furthermore understand how the variables work on the server side to make it actually work how they want.) > Use $_POST when you expect the data to always be in POST data. correct. > Use $_GET when you expect the data to alwasy be in GET data. correct. > If you actually want to accept HTTP requests of either kind for > flexibility to an external user, by all means use REQUEST. In my opinion a properly coded web application shouldn't be lazy and should know the source of data. So I consider this incorrect. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
