In agree with you Simon - if we have too many sources for input variables, some of which check varying sources in priority it's just another $_REQUEST situation where these values could conceivably come from anywhere. It's better practice to use a method which selects values from a known source on the basis if it comes from anywhere else unexpectedly it should ring a few alarm bells for the developer. I'd actually call it first line filtering/validation - if we know a value should be received via POST then if the same value is retrievable from GET it should be ignored unless it's for a valid reason. Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com
----- Original Message ---- From: Simon R Jones <[EMAIL PROTECTED]> To: Zend Mailing List <[email protected]> Sent: Thursday, March 22, 2007 8:13:19 AM Subject: RE: [fw-general] Zend_Filter_Input... > You can use $this->_getParam('key', 'default'); in a Controller, because > _getParam() use the Request->getParam() method, which tries first to > load the param from the url, then from $_GET and after this from $_POST. If $this->_getParam() looks at the URL, GET and POST isn't it a potential security issue to use it for POST variables since you don't know exactly where your input variables are coming from? Seems rather similar to $_REQUEST to me which should also be avoided for similar reasons - http://shiflett.org/articles/ideology A quick look at the (nicely growing) manual it seems you can do the following which does the job nicely for POST variables: $myVar = $this->getPost('name'); (See API docs / Zend_Controller_Request_Http for more) There do seem to be a lot of methods that return variables from GET, POST, COOKIE, etc. I think it would be a good idea to mention the security implications of depending on these in the manual.. Si ____________________________________________________________________________________ TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. http://tv.yahoo.com/
