Stanislav Malyshev wrote:
@Richard: You don't understand the Problem with _REQUEST. It is not
about the fact that someone can forge GET, POST; COOKIE variables.
It is about the fact that COOKIEs will overwrite GET and POST data in
REQUEST.
Isn't it solved by setting variables_order to correct value, at least
partially? I.e. if you have variable in GET/POST it won't be overwritten
by the COOKIE one, of course there still may be a scenario when the
variable is set only in COOKIE, but then doesn't omitting 'C' from
variables_order exclude cookies from _REQUEST?
I think this argument is a big misunderstanding. What Stefan (I think)
is trying to get across is that it is probably not best practices to use
$_REQUEST unless you know exactly what it means to use $_REQUEST. I
know we had some issues at dealnews where people were using $_REQUEST
because they wanted to handle GET and POST in one stroke. But, cookies
would get in the way because (and this is the key) they are set in other
pages/apps that are in no way related to the app/page in question.
So, I think Stefan's request is in the spirit of promoting best
practices to people reading this list. IMO, best practices for these
variables would be to access $_GET, $_POST and $_COOKIE explicitly so
that you always know what you are getting.
Frankly, I have considered changing the order to CGP on my servers.
Most often, I would want GET to override cookies as they would collide
most often when I was toggling a setting via a link or form that is to
be saved to a cookie.
Hmm, I think I feel a blog post coming on.
--
Brian Moon
Senior Developer/Engineer
------------------------------
When you care enough to spend the very least.
http://dealnews.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php