Hi, > variables_order: They should be the same on dev and prod. > > request_order: Seems like it should be the same.
Caution! I've read several times in this thread that request_order should be set to something that also contains C. This is DANGEROUS. request_order was specifically introduced to determine the order of variable merging that leads to $_REQUEST, while variables_order defines the variables that are assigned *at all* (and without register_globals and with request_order, the _order is actually misleading). So: request_order should *ONLY* be set to "GP" in order NOT to have cookies popping up in $_REQUEST - else everybody who uses $_REQUEST is vulnerable to CSRF. Also, a recommendation for request_order only makes sense as "GP" (on both production *and* developement machine) and setting variables order to "GPCS". Furthermore, the comment in the ini file that request_order is in there for performance reasons is just PLAIN WRONG and gives the impression that setting it to "GPCS" or empty will just cost a little performance - where it clearly allows for CSRF if people use $_REQUEST. Regards, Christian -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
