On Jan 5, 2008 3:48 PM, Stefan Esser <[EMAIL PROTECTED]> wrote:
> Hello,
> >> typing into PHP, even if it is optional. Passing $_REQUEST['age'] to a
> >>
> > that $_REQUEST['age'] has been checked for numeric before the functio
>
> would you please not use $_REQUEST in any of your examples? $_REQUEST is
> one of the biggest design weaknesses in PHP. Every application using
> $_REQUEST is most probably vulnerable to Delayed Cross Site Request
> Forgery problems. (This basically means if e.g. a cookie named (age)
> exists it will always overwrite the GET/POST content and therefore
> unwanted requests will be performed)
It may be off-topic for the initial post, but I disagree
wholeheartedly with the above statement, Stefan. There are
innumerable reasons where $_REQUEST would be much more economic than
writing out all conditions for $_POST, $_GET, $_SESSION, $_COOKIE....
It's certainly not 100% advantageous, but that's the reason why we
make the Big Bucks[tm], right?
*cough* Right?
/me cries softly in the corner.
--
Daniel P. Brown
[Phone Numbers Go Here!]
[They're Hidden From View!]
If at first you don't succeed, stick to what you know best so that you
can make enough money to pay someone else to do it for you.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
